sshd and firewall setup


Forum: Networking
Topic: sshd and firewall setup
started by: Zucca
Posted by Zucca on June 29 2006,13:59
Okay. I guess that all who have set up their sshd are getting attacks from various ips...

Is there a way to automate firewall to block any ip that has tried to access over 5 times to my server via ssh. With blocking I mean to block from accessing to any services on my server. Also to port 80 and 21...
Posted by Zucca on June 29 2006,14:16
And also where does sshd store it's logs?
Posted by clacker on June 29 2006,18:24
I believe that rc.firewall script can block an address or range of addresses from connecting to any port by the user setting it's BLACKLIST variable.

I don't think the log file gets created unless the syslogd daemon is running, although I may be wrong about that.  TO start he syslogd daeon use the command:

sudo syslogd start

Messages then get placed into the /var/log/messages file.  I remember vaugely that there are some security issues with keeping logs, perhaps someone else could fill in the holes here for me.

You can strip out the addresses that are connecting and failing by parsing the /var/log/messages file like so:

sudo cat /var/log/messages | \
  sed -n 's/.*Failed password.*from \([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/p' | \
   uniq -c

Which gives you two columns: the number of failed attempts and the IP address.  I'm not sure how to block the addresses once you find them.  Perhaps iptables?
Posted by Zucca on July 07 2006,05:47
Thanks very much. I haven't used sed at all. This was very useful. :)
I've been using only grep pipelines before.
I think I'm gonna google some info about sed... :;):

I think I can do a nice script with sed that blocks nasty hosts. We'll see...
Posted by green on July 08 2006,04:04
If you use a different port number, that helps a lot.
Like port 222 for ssh, instead of port 22.
Lots of people looking for ssh on port 22 but not 222 or something like that.

Better still is to use a dedicated firewall, like the free Smoothwall at smoothwall.org.
You can use a low end box to protect your whole network, similar to low end specs for DSL..... i've used a 200mhz, 128mb ram 2gb hdd box for it and it works great.
With that, you can have total control of what goes in or out and setup a DMZ for your servers and have them isolated from your LAN so nasties stay out. It offers much more functionality than a linksys type firewall/router alone. I have one of those as well, but for it's wireless capability and not it's firewalling.
Posted by Zucca on July 18 2006,06:30
A friend of mine told me to stealth my server...
Basically it means that my server cannot be seen. Won't even reply to pings.
Anyone who have done that?
Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.