Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: Craig Cabrey on January 05, 2009, 03:42:53 AM

Title: SSH Access Attempts
Post by: Craig Cabrey on January 05, 2009, 03:42:53 AM
Simple question,
Is it possible to block a specific IP address? I have hundreds of entries in my sshd log file for an IP 210.205.6.42 (according to a few IP locators, South Korea O_o). 
Good thing I have a strong password and root access is denied!  :lol:
Thanks,Craig
Title: Re: SSH Access Attempts
Post by: mmccarn on January 05, 2009, 04:45:28 AM
You should be able to block all ssh access at the iptables level using
Code: [Select]
config setprop sshd DenyHosts 210.205.6.42
signal-even remoteaccess-update

Personally, I move SSH from port 22 to another port - which isn't a real security fix, but has eliminated all the ssh attack entries in my log files for the last 3 years.

Alternatively, the Denyhosts (http://wiki.contribs.org/Denyhosts) contrib automatically blocks any host that fails too many attempts to login to ssh.
Title: Re: SSH Access Attempts
Post by: cactus on January 05, 2009, 09:27:01 AM
You should be able to block all ssh access at the iptables level using
Code: [Select]
config setprop sshd DenyHosts 210.205.6.42
signal-even remoteaccess-update

Personally, I move SSH from port 22 to another port - which isn't a real security fix, but has eliminated all the ssh attack entries in my log files for the last 3 years.

Alternatively, the Denyhosts (http://wiki.contribs.org/Denyhosts) contrib automatically blocks any host that fails too many attempts to login to ssh.
The most secure alternative, not mentioned here so far is to use a public-private key pair, which is described here: http://wiki.contribs.org/SSH_Public-Private_Keys
Title: Re: SSH Access Attempts
Post by: versa on January 05, 2009, 10:33:05 AM
This might be worth a try also'
http://wiki.contribs.org/Denyhosts
Title: Re: SSH Access Attempts
Post by: milaweb on January 05, 2009, 11:06:32 AM
Another solution: Only SSH from the inside of your network, and then use VPN to get in there......
Title: Re: SSH Access Attempts
Post by: Craig Cabrey on January 05, 2009, 09:22:55 PM
Thanks everyone,
I have since generated a key pair and disabled password authentication.
However, I will also investigate the denyhosts contrib as I seemed to have missed that. But as of right now, all attacks have stopped. :)

Thanks again
Craig
Title: Re: SSH Access Attempts
Post by: Stefano on January 05, 2009, 09:37:59 PM
Another solution: Only SSH from the inside of your network, and then use VPN to get in there......

just to clarify: ssh security is far better than pptp vpn one..

so is better a ssh tunnel than a vpn.. even if the last is easier to configure :-)

Ciao
Stefano
Title: Re: SSH Access Attempts
Post by: beakersloco on January 18, 2009, 06:24:14 AM
Another solution: Only SSH from the inside of your network, and then use VPN to get in there......

+1
I was going to say this also, this way the person has to know a login/password to get in via VPN then also has to know the password to login via ssh from inside your network to get to your network. Disable SSh access from outside your network.

If you need access to stuff then simply make ftp into the machine.

Title: Re: SSH Access Attempts
Post by: CharlieBrady on January 18, 2009, 07:15:46 PM
+1
I was going to say this also, this way the person has to know a login/password to get in via VPN then also has to know the password to login via ssh from inside your network to get to your network.

In other words, all they need is a login/password, so this is no more secure than just enabling SSH password access in the first place.
Title: Re: SSH Access Attempts
Post by: cactus on January 18, 2009, 07:18:13 PM
In other words, all they need is a login/password, so this is no more secure than just enabling SSH password access in the first place.
Hence my plea for private/public keys, which the OP seems to have implemented.
Title: Re: SSH Access Attempts
Post by: Craig Cabrey on January 18, 2009, 08:00:30 PM
Hence my plea for private/public keys, which the OP seems to have implemented.
Yes, I have and they are working well. It has the added benefit of not worrying about sending passwords over the internet (even though they are encrypted).
Craig