Share

Problem:

Many attempts to connect to SSH are done, polluting the log files.

Solution:

If you have an open SSH connection, you will notice a lot of people will try to log into your system. Just do the following as root in a terminal to see if you have an issue:

grep "Invalid user" /var/log/messages

To see how often the 25 most offensive IP addresses try, do the
following:

grep "Invalid user" /var/log/messages|awk '{print $NF}' | \
sort|uniq -c|sort -nr|head -n 25

Most likely there will be tens if not hundreds of attempts. Even if your
SUSE system is safe, it clutters the log file. There are some things you
can do to make this better.

  1. Decide if you really need SSH (or any other service) and turn it off
    in YaST, System, System Services if you are sure that you don’t need it.
  2. See that only SSH protocol 2 is selected by editing

    /etc/ssh/sshd_config as follows:

    #Protocol 2,1
    Protocol 2

    and restart the ssh service with ‘rcsshd restart’.

This will not block the attacks. For that you need another program. A
very good one is http://www.aczoom.com/blockhosts/

First download the RPM

http://www.aczoom.com/tools/blockhosts/
BlockHosts-1.0.4-1.noarch.rpm
and
install it with ‘rpm -Uvh BlockHosts-1.0.4-1.noarch.rpm’

Next you can have a look at /etc/blockhosts.cfg if you want to edit
anything there.

The most important is to edit /etc/hosts.allow where you will need to
add three parts. The things you allow, the part for BlockHost and the
command to run BlockHost.

The first part are servers that you will absolutely need to have access
from and that can’t be blocked by accident or error. Those are machines
you trust. An example:

# permanent whitelist addresses -
these should always be allowed access
ALL: 127.0.0.1          : allow
ALL: 192.168.           : allow
ALL: 10.                : allow
ALL: 195.144.64.175     : allow

Next is the part that will be edited by BlockHosts and is simply the
following, including the comments.

#---- BlockHosts Additions
#---- BlockHosts Additions

Next line that will call the script each time SSH is called for:

SSHd: ALL: spawn /usr/bin/blockhosts.py & : allow

More information on the configuration can be found at:

  • /usr/share/doc/BlockHosts-1.0.4/blockhosts.html
  • /usr/share/doc/BlockHosts-1.0.4/INSTALL
Share
(Visited 1 times, 1 visits today)
Tags:
Category: Technical Solutions
This entry was posted Thursday, 9 November, 2006 at 12:00 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet