Topic: Stop / Blacklist Hacker Ip's Urgent Help

[cirkit]

I have been going through the "messages" log file for last 7  days I find thousands of entries like the following below

Feb 15 16:45:57 mcp61 sshd(pam_unix)[19611]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.143.134.68  user=root
Feb 15 16:46:01 mcp61 sshd(pam_unix)[21823]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.143.134.68  user=root
Feb 15 16:46:06 mcp61 sshd(pam_unix)[23240]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.143.134.68  user=root
Feb 15 16:46:10 mcp61 sshd(pam_unix)[25038]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.143.134.68  user=root


I sense as if some one is trying to take control over my server over SSH. There are over 50,000 attempts over last 7 days. Those 50,000 attempts come from only 6 different IP's how can I stop this or block these IP's from attemtpting on my6 server..

[Stefano]

hi..

it's simple: shut down ssh or move it on another port > 1024..

ciao
Stefano

[cirkit]

True... I did it on one of my servers and there was no attempt in last 24 hrs. But is there a way by means I can keep blocking access to the IP's that I monitor such that no access is provided to any service of the server. (Like blocking the Ip completely, For the hacker the Server should be unanswereable)

[Craig Cabrey]

Try this: Denyhosts

Craig

[warren]

Even better, use public-private keys for ssh access:
http://wiki.contribs.org/SSH_Public-Private_Keys

[janet]

cirkit

Alternatively if you prefer not to use pp key access, limit ssh access from a single or multiple specified IP(s).
That way only "allowed" sites can gain ssh access to the sme server
See this thread for command details, and more.

http://forums.contribs.org/index.php/topic,34333.msg147942.html#msg147942

ie
For controlling ssh access

This will allow ssh access ONLY from the designated IP's & block all other sources.

/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts xxx.xxx.xxx.xxx
/sbin/e-smith/signal-event remoteaccess-update

or

/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts x.x.x.1,y.y.y.2
/sbin/e-smith/signal-event remoteaccess-update

To enter multiple AllowHosts IP's, comma separate the IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24), as in the above example

ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.

[cirkit]

Thanks all for the various solutions, I'll try all the solutions and revert back as soon as possible with the results (i.e which method is more efficient in blocking such attempts)

[janet]

cirkit

.....which method is more efficient in blocking such attempts

There is nothing really to try, in order to know that answer.

Changing the ssh port does not block anything, but in practice you will find most attempts no longer happen as robots are usually not attempting ssh access on ports other than 22.

pp keys will definitely only allow access to a user who has the specific key file on their computer (which has to be generated from the sme server).

using the sshd AllowHosts setting will only allow ssh access from the specified IP host

To stop the log entries of the majority of attempts you will need to change the port. In addition, to ensure absolute security for ssh access by only allowing authorised users, then using pp key is the best.

Specifying an AllowHost IP will severely limit hosts who can access the sme via ssh, ie if you quote your static IP from home, then only you will be able to access a remote sme via ssh.

In a practical sense, to stop the majority of attempts being logged simply change the ssh port, but you still need to use one of the other methods as well if you are really serious about security.

[lancelott2]

Hello,

on my Server i use SSH on a diferent port, deny hosts and vpn. If you put the local hosts in the allowed list of the SSH Denyhosts and you connect over vpn to the server you will have normal internal access to ssh.

Runs on my Server preatty well

Greetings

Lance