How to block IPs from using ssh ?

Support for security such as Firewalls and securing linux
Post Reply
DEBCEN
Posts: 110
Joined: 2016/03/04 10:52:00

How to block IPs from using ssh ?

Post by DEBCEN » 2016/03/14 14:22:09

My dedicated server is receiving a whole lot of invalids logins from various ips already blacklisted on the internet. It's possibly a bruteforce attack as I'm receiving 25000 invalid root logins a day!
Is there any reliable tool to stop this from happening ?
Some days you have to create your own sunshine.

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: How to block IPs from using ssh ?

Post by mghe » 2016/03/14 14:43:40

Yes, fail2ban or DenyHost. I will find how to conf. it on forum.

More extra secure: change standard port 22 to other, disable root logon, disable password logon, enable version 2.

If You have static IP, choose it to logon on server only.
Last edited by mghe on 2016/03/14 15:00:25, edited 1 time in total.

DEBCEN
Posts: 110
Joined: 2016/03/04 10:52:00

Re: How to block IPs from using ssh ?

Post by DEBCEN » 2016/03/14 14:54:49

mghe wrote:Yes, fail2ban or DenyHost. I will find how to conf. it on forum.

More extra secure: change standard port 22 to other, disable root logon, disable password logo, enable version 2.

If You have static IP, choose it to logon on server only.
Thanks. Will take a look. I don't have a static IP though
Some days you have to create your own sunshine.

SteveH0773
Posts: 7
Joined: 2016/03/13 14:16:21

Re: How to block IPs from using ssh ?

Post by SteveH0773 » 2016/03/14 15:29:52

Fail2Ban or DenyHosts are designed for what you want - Have a read about the differences though.

Given the number of login attempts you have, it is possible that bots are trying to gain access - In this case IMO DenyHosts is better, as it will download a list of IP's that have tried gaining access elsewhere, so bans them before they get to you by adding the IP's to hosts.deny. It will also add IP's that try to access your server, and if configured then upload the blocked IP for others to then download and block.

Fail2Ban adds IP's to your firewall 'drop' chain when they exceed the configured number of failed attempts.

Does anyone know if both products can happily co-exist on the same host?

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to block IPs from using ssh ?

Post by lightman47 » 2016/03/14 16:43:56

On my CentOS6 server they work together. I have both on all my CentOS7 machines (in case) but none currently face the outside world. Even the laptops only go out to play once a year and the apps weren't installed last year.

BTW - you're still going to see the attempts until they lock themselves out. FAILed attempts are fine - it is the others you don't want to see. To that end, do not edit your SSH config files to allow root login !!! That is off by default as far as I've experienced. 'root' is the account that these bots know exist on every 'nix' machine, so it's the first account they hammer - looking for noobs who allowed it.

As far as your very high 'hit rate', it will take some time bit it will decrease. Your address got spread over the bot network from your 'last adventure'. When you start locking them out with fail2ban and/or denyhosts they'll begin to slowly give up. I am down to ~30 attempts per day now; it used to be hundreds.

EDIT:
To SSH as root, first SSH in as a normal user, then "su". A couple extra steps will save you major headaches/rebuilds. <wink> Or use certificates as mentioned. I can't for technical reasons or I would.

Post Reply