Anyone who has a run a GNU\/Linux server on the Internet for more than a few weeks has probably noticed that they will occasionally get “hammered” by a robot attempting to make an ssh connection using common usernames and passwords. Usually these are not truly “brute force” attacks—they try 20-30 times, rather than thousands—but either way they are annoying. <\/p>\n
These attacks are rarely successful with a properly configured system, but they can use up bandwidth and system resources, and perhaps more troublesome is that they clog your log files so it is more difficult to detect a bona fide system attack. I suspect that at least some of these random ssh login attempts are accompanied by attacks on other known vulnerabilities, with the hope that the sysadmin won’t notice the more devious attack because the stupid attack is going on at the same time. <\/p>\n
Strangely, there is no “canonical” solution to guarding against these attacks. A few people have written up their own hack solutions, and here is mine. <\/p>\n
It’s called ssh_login_blocker<\/a>. It’s very simple—just drop it in \/etc\/init.d and make symlinks to the proper \/etc\/rc?.d directories (or just start it running from the command line). It must be run as root. You can configure it to allow a certain number of bad passwords or bad usernames before it blocks an IP address. You can also configure it to “reset” the bad username\/password count after a certain amount of time has passed. Just look at the first few lines of code and adjust the settings accordingly. <\/p>\n If you are running it on a system to which you don’t have physical access, you should whitelist at least one IP address where you will be able to get in from in case something goes awry. <\/p>\n There are many improvements I’d like to make. For example, it should use libfile-tail-perl rather than running a shell for tail. It should have a “temporary blacklist” feature in addition to the current “permanent blacklist” feature. It should have an auto-whitelist function such that “known good” IP addresses get marked up. It should use something other than \/etc\/hosts.deny to block ip addresses—for example, iptables. It doesn’t do any of these things, but it works pretty well, and it makes me happy that my log files are not currently clogged with spurious login attempts. <\/p>\n","protected":false},"excerpt":{"rendered":" Anyone who has a run a GNU\/Linux server on the Internet for more than a few weeks has probably noticed that they will occasionally get “hammered” by a robot attempting to make an ssh connection using common usernames and passwords. Usually these are not truly “brute force” attacks—they try 20-30 times, rather than thousands—but either […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/posts\/152"}],"collection":[{"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/comments?post=152"}],"version-history":[{"count":0,"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/posts\/152\/revisions"}],"wp:attachment":[{"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/media?parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/categories?post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adam.rosi-kessel.org\/weblog\/wp-json\/wp\/v2\/tags?post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n