Re: Package to block random SSH login attempts?

To: Adam Rosi-Kessel <adam@rosi-kessel.org>
Cc: debian-user@lists.debian.org
Subject: Re: Package to block random SSH login attempts?
From: Sam Watkins <swatkins@fastmail.fm>
Date: Sun, 5 Dec 2004 23:36:18 +1100
Message-id: <[🔎] 20041205123618.GL3533@jam.samwatkins.homeunix.net>
Mail-followup-to: Adam Rosi-Kessel <adam@rosi-kessel.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 20041204164240.GB1986@bostoncoop.net>
References: <[🔎] 20041204164240.GB1986@bostoncoop.net>

On Sat, Dec 04, 2004 at 11:42:40AM -0500, Adam Rosi-Kessel wrote:
> Is there any Debian package (or free software outside of Debian) that can
> detect random ssh login attempts and blacklist (temporarily or
> permanently) the IP address?

My new server has been getting attacked several times a week,
even though it's not serving anything much yet.

I wrote a little script to check how many times it's been attacked, and by whom,
here's the results so far:

    107 Nov 22 220.72.22.110
      9 Nov 22 61.135.145.249
      9 Nov 23 67.15.45.240
    107 Nov 23 211.229.236.170
      3 Nov 28 207.248.228.194
     18 Nov 29 210.219.250.239
      3 Nov 29 196.38.231.130
    112 Dec  1 203.69.243.102
    577 Dec  2 216.240.139.153
      9 Dec  5 220.70.167.67

I'm not much worried about a break-in, but 557 attempts is quite a lot.
Apart from anything, it must slow down my puny server having to do all that
crypto!  I don't want to run my script one day and see a million attempts or
something!  I suppose it would be possible to do something like that with a
threaded attack.  Still, it's more efficient for them to go after people with
dumb passwords.

I think a good solution would be exponential lockout, for each failed login,
sshd should double the amount of time a certain IP has to wait before it will
be allowed to connect again, and reset to 1 after a successful login.

i.e. if someone types the wrong password, their IP will be locked out for 1
second, if they type the wrong password again, they are locked out for 2
seconds, then 4, then 8, etc.

This would limit the number of failed connections per day from a particular IP
address to about 16 (2^17 > seconds/day), which is not enough for anyone to
guess my password, but it wouldn't lock ME out (for long) if I accidentally
typed my password wrong or screwed up my keys a few times.

Maybe this kind of solution is more scalable for a multi-user system than
arbitrary limits and permanent lockout.

I wrote a hack for pppd that did something like this a while ago, it would
redial automatically if the connection dropped out, but for every failed
connection would wait twice as long before it did (we pay a connection fee for
local phone calls in .au, infinite redial loops can be expensive!)

If anyone else thinks this would be worthwhile, I might have a go at getting
sshd to do it.  Or would this be better implemented somewhere else, maybe as a
general anti-abuse service that would interact with iptables?

Sam

P.S.

here's my "attacks" script if you're interested:

  ls -r /var/log/auth.log* | xargs catz | grep 'Failed password' | grep $HOSTNAME |
  sed "s/$HOSTNAME.*::ffff://; s/ port.*//; s/ ..:..:.. / /;" | uniq -c

and catz is:

  for A in "$@"; do
          case "$A" in
          *.gz) zcat "$A" ;;
          *.bz2) bzcat "$A" ;;
          *) cat "$A" ;;
          esac
  done

Reply to:

References:
- Package to block random SSH login attempts?
  - From: Adam Rosi-Kessel <adam@rosi-kessel.org>

Prev by Date: Re: Can't get hal/udev/hotplug/whatever to mount usb flash card reader
Next by Date: Re: Can't get hal/udev/hotplug/whatever to mount usb flash card reader
Previous by thread: Re: Package to block random SSH login attempts?
Next by thread: Re: Package to block random SSH login attempts?
Index(es):
- Date
- Thread