Linode.com Forum

[shunchu]

Hi,

How do I block an IP address after x number of failed ssh login attempts? Any scripts handy I can just plug right in? It'd be great to be able to get an email upon such incident as well...

thanks....

[cederberg]

I haven't got anything handy for automatically blocking IPs, but if you want to be warned about invalid login attempts try installing and configuring a log monitor. I'm using Tenshi on Gentoo, but there are several others as well.

If you are worried about attacks to ssh, consider configuring it with certificates or create a "double protection" solution with port knocking. The latter way, all IPs not sending the right knocking sequence are blocked. See http://www.zeroflux.org/knock/ for a simple server & client.

[asura]

I disabled the ability for root to SSH in (I can still SSH in and then SU to root if needed). I also have portsentry installed, which detects any port scans and blocks the IP via iptables.

[shunchu]

Thanks for the tips... I am going to force myself to live without root login and just do su then... In the meantime, I will investigate on Tenshi as well... Thanks!

[rjp]

You can also switch to using RSA keys instead of passwords. In the sshd_config file, you can use PermitRootLogin without-password, in conjunction with a /root/.ssh/authorized_keys file, to allow root access using the RSA key only. I've gone even further and only allow RSA for any connections, root or non-root.

It's not a bad idea to check the sshd and sshd_config man pages to see the available options.