Topic: Autoblock_ssh

[stephdl]

Hi all

Just to high light a new feature available in SME9 and waiting a release for SME8 : Autoblock_ssh
The purpose is to block bad authentication trough ssh, a relevant wiki page is set : http://wiki.contribs.org/AutoBlock#Public_SSH_Acess

It is enabled by default for sme9 and disabled by default for sme8

[mhr]

This is indeed a very welcome feature. Unfortunately I'm not too familiar with iptables to further tweak it. My problem is that I'm using svn over ssh on that box. If I want to display the history, then eg. the diff to the previous revision, I'm already out of connections for 15 minutes. Sure, I can reduce the blocking time to less minutes, and up the hit number somewhat.

But is there a (relatively) easy way to whitelist a source IP?

[guest22]

But is there a (relatively) easy way to whitelist a source IP?

Excellent question!

[Daniel B.]

If you need more control, I'd advise to disable the default autoblock feature, and instead install the fail2ban contrib. It'll still ban offenders, but only after failed auth attempts, you can manage a whitelist of hosts/network which will never been banned, and it'll also monitor other services (http, imap, ftp etc...)

[mhr]

Heh... I had fail2ban in the browser history. Don't know how I missed it first time! Thanks for the pointer!

[stephdl]

I would be interested on how whitelisted an ip.....do we have to add this ip or network as 'local ip/network' and how we can do that.

I have searched a bit and i saw that 'db networks' is not well documented.

[Daniel B.]

AFAIK, there's no whitelist support on the default AutoBlock feature

[stephdl]

Even if we had a new network with a flag 'local'

[Jean-Philippe Pialasse]

If you only need to defend ssh, I would rather install denyhosts than fail2ban.

you have whitelist options.

[guest22]

If you only need to defend ssh, I would rather install denyhosts than fail2ban.

We can't test that for the contrib is outdated http://wiki.contribs.org/Denyhosts an not available for SME8 or SME9.

[brianr]

<deleted>

[janet]

stephdl

Why would you want or need this ?

If you configure public private key access (refer Howto), then you can only ssh into your SME server (securely) if you have the correct key, no need for any failed authentication blocking contrib or feature.

[Jean-Philippe Pialasse]

public/private key limit the risk of access, not the risk of burning server ressources due to buteforce attack and DDOS on ssh.

both are important ( no password login and protect from numerous login attempt)

[Stefano]

just put your ssh on a non standard and not common port and you cut 99.9999% of bruteforce attacks..

I have no sign of login attempts on my servers.. and no server is listening on 22..

[stephdl]

just put your ssh on a non standard and not common port and you cut 99.9999% of bruteforce attacks..

I have no sign of login attempts on my servers.. and no server is listening on 22..

Yes that's good for ssh, but for example fail2ban can protect sogo, dovecot, ftp, apache and many other services, but that's not a problem you have simply to remember this service use a non standard port and share it to communicate with friends

Software like fail2ban is a must have, and watch about who is attempting to login.