Networking :: sshd and firewall setup
Okay. I guess that all who have set up their sshd are getting attacks from various ips...
Is there a way to automate firewall to block any ip that has tried to access over 5 times to my server via ssh. With blocking I mean to block from accessing to any services on my server. Also to port 80 and 21...
And also where does sshd store it's logs?
I believe that rc.firewall script can block an address or range of addresses from connecting to any port by the user setting it's BLACKLIST variable.
I don't think the log file gets created unless the syslogd daemon is running, although I may be wrong about that. TO start he syslogd daeon use the command:
sudo syslogd start
Messages then get placed into the /var/log/messages file. I remember vaugely that there are some security issues with keeping logs, perhaps someone else could fill in the holes here for me.
You can strip out the addresses that are connecting and failing by parsing the /var/log/messages file like so:
sudo cat /var/log/messages | \
sed -n 's/.*Failed password.*from \([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/p' | \
uniq -c
Which gives you two columns: the number of failed attempts and the IP address. I'm not sure how to block the addresses once you find them. Perhaps iptables?
Thanks very much. I haven't used sed at all. This was very useful.
I've been using only grep pipelines before.
I think I'm gonna google some info about sed...
I think I can do a nice script with sed that blocks nasty hosts. We'll see...
If you use a different port number, that helps a lot.
Like port 222 for ssh, instead of port 22.
Lots of people looking for ssh on port 22 but not 222 or something like that.
Better still is to use a dedicated firewall, like the free Smoothwall at smoothwall.org.
You can use a low end box to protect your whole network, similar to low end specs for DSL..... i've used a 200mhz, 128mb ram 2gb hdd box for it and it works great.
With that, you can have total control of what goes in or out and setup a DMZ for your servers and have them isolated from your LAN so nasties stay out. It offers much more functionality than a linksys type firewall/router alone. I have one of those as well, but for it's wireless capability and not it's firewalling.
Next Page...
original here.