Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (2) </ [1] 2 >/

[ Track this topic :: Email this topic :: Print this topic ]

 reply to topic new topic new poll
Topic: sshd and firewall setup, Little help needed.< Next Oldest | Next Newest >
Zucca Offline





Group: Members
Posts: 524
Joined: Feb. 2006
Posted: June 29 2006,13:59 QUOTE
Okay. I guess that all who have set up their sshd are getting attacks from various ips...

Is there a way to automate firewall to block any ip that has tried to access over 5 times to my server via ssh. With blocking I mean to block from accessing to any services on my server. Also to port 80 and 21...

--------------
Do you have it? - http://dy.fi/mak
Back to top
Profile PM WEB ICQ MSN 
Zucca Offline





Group: Members
Posts: 524
Joined: Feb. 2006
Posted: June 29 2006,14:16 QUOTE
And also where does sshd store it's logs?

--------------
Do you have it? - http://dy.fi/mak
Back to top
Profile PM WEB ICQ MSN 
clacker Offline





Group: Members
Posts: 570
Joined: June 2004
Posted: June 29 2006,18:24 QUOTE
I believe that rc.firewall script can block an address or range of addresses from connecting to any port by the user setting it's BLACKLIST variable.

I don't think the log file gets created unless the syslogd daemon is running, although I may be wrong about that.  TO start he syslogd daeon use the command:

sudo syslogd start

Messages then get placed into the /var/log/messages file.  I remember vaugely that there are some security issues with keeping logs, perhaps someone else could fill in the holes here for me.

You can strip out the addresses that are connecting and failing by parsing the /var/log/messages file like so:

sudo cat /var/log/messages | \
  sed -n 's/.*Failed password.*from \([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*/\1/p' | \
   uniq -c

Which gives you two columns: the number of failed attempts and the IP address.  I'm not sure how to block the addresses once you find them.  Perhaps iptables?
Back to top
Profile PM 
Zucca Offline





Group: Members
Posts: 524
Joined: Feb. 2006
Posted: July 07 2006,05:47 QUOTE
Thanks very much. I haven't used sed at all. This was very useful. :)
I've been using only grep pipelines before.
I think I'm gonna google some info about sed... :;):

I think I can do a nice script with sed that blocks nasty hosts. We'll see...

--------------
Do you have it? - http://dy.fi/mak
Back to top
Profile PM WEB ICQ MSN 
green Offline





Group: Members
Posts: 453
Joined: Oct. 2004
Posted: July 08 2006,04:04 QUOTE
If you use a different port number, that helps a lot.
Like port 222 for ssh, instead of port 22.
Lots of people looking for ssh on port 22 but not 222 or something like that.

Better still is to use a dedicated firewall, like the free Smoothwall at smoothwall.org.
You can use a low end box to protect your whole network, similar to low end specs for DSL..... i've used a 200mhz, 128mb ram 2gb hdd box for it and it works great.
With that, you can have total control of what goes in or out and setup a DMZ for your servers and have them isolated from your LAN so nasties stay out. It offers much more functionality than a linksys type firewall/router alone. I have one of those as well, but for it's wireless capability and not it's firewalling.
Back to top
Profile PM 
5 replies since June 29 2006,13:59 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (2) </ [1] 2 >/ 		reply to topic new topic new poll
Quick Reply: sshd and firewall setup

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code