Linode.com Forum

[melancthon]

Well, I have some idiot repeatedly trying to ssh into my Linode. I was wondering if there is a very simple way for me to just drop all that traffic from that IP. My Linode's network server is hovering at a constant 10k bits/sec, and the CPU is right at 2.0% constant.

Help?

[zunzun]

As a stopgap measure, change the SSH port?

James

[mwalling]

iptables -A INPUT -s $IDOITS/$BLOCK -j DROP

[rweir]

melancthon wrote: Well, I have some idiot repeatedly trying to ssh into my Linode. I was wondering if there is a very simple way for me to just drop all that traffic from that IP. My Linode's network server is hovering at a constant 10k bits/sec, and the CPU is right at 2.0% constant.

Help?

fail2ban can be setup to use iptables to block hosts that repeatedly attempt and fail to login. denyhosts is similar but uses tcpwrappers by default.

[Xan]

I use just a handful of iptables rules to handle this. I think the whole Internet's being swept by these jerks, looking for an easy password. Try this:

Code: iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP

from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/

This blocks any new SSH attempts from an IP which has attempted 3 in the previous five minutes. It really puts the brakes on the brute force attacks.

Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame.

[edited to correct double-dashes]

[mwalling]

Xan wrote: Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame.

i learned this the hard way when completing scp with bash-completion turned on... every time you hit tab, it opened a new connection to the host

[melancthon]

Many thanks for the quick responses - I was a bit afraid of the sheer complexity that iptables can have, but the webmin interface for it wasn't too bad. For the time being I am just dropping all packets from the IP address; hopefully that will do the trick. I will look into these other options (such as ssh ports and addresses) as further measures as well. Thanks!

[ywliu]

I have been using this less-known tool for quite a time. Very effective to prevent from SSH/FTP probing.

blockhosts.py

http://www.aczoom.com/cms/blockhosts

Try it and you may love it as I do.

ywliu

[reallove]

I use this for blocking unwanted sshd connections.
Pretty good and effective.

[chrisnolan]

try also the package "denyhosts"

http://denyhosts.sourceforge.net/

HTH
C

[Xan]

I don't understand why you would install extra packages and extra software to do a job that can be done by four iptables commands. "Keep it simple" would definitely be my philosophy for something like this.

Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible.

[kbrantley]

Xan wrote: I don't understand why you would install extra packages and extra software to do a job that can be done by four iptables commands. "Keep it simple" would definitely be my philosophy for something like this.

Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible.

And it's a great method. Thanks for that, I'm using it (slightly modified) now.

[melancthon]

However, those 4 iptables commands require the use of other modules which I can't seem to get working for iptables.

I'm using fail2ban presently which is seeming to do the trick as well as notifying me when it happens with the IP, so I can put on my diplomat hat and send nasty emails to support people requesting action!

[Xan]

Certainly all these methods will work just fine. And the advantage of having so many options is if you have trouble with one you can try another.

But I'm surprised you're having trouble with iptables modules. They were part of the Linode kernel, at least when I started using them. Are you running the latest kernel?

[Xan]

melancthon described his error messages in a PM, and it turns out what was in my post won't work verbatim. All the double-dashes are some kind of fancy Unicode dash, perhaps the result of the CMS on the site I got them from. I'm correcting the original post so that the commands should work.