Serious Problem - My SSH is trying to be hacked

[Chew]

I've been noticing in the last couple weeks, that my SSH server is being hammered by numerous IP's trying to get passwords for root, and even try accounts that don't exist like admin, guest, test, etc.

Is there a way to prevent logins to ssh from all other IP's except a given range I designate?

I'm on dsl, however as you know, it's static to a point. However I know what my DSL company's IP range is, and would like to restrict logins to just that range.

Or is there an easier way than just blocking the IP's? Because that's what I've been doing.

Thanks in advance,
Chew

[chirpy]

It's a very common attack at the moment. You should be able to restrict access to SSH through /etc/hosts.deny and hosts.allow:
man hosts.deny

Or, if you have APF, you could simply only allow access to port 22 from your IP address or range using the /etc/apf/allow_hosts.rules and deny_hosts.rules

[Chew]

ahh I didn't think about using apf for restrictions.

Thanks again Chirpy!
Chew

[Chew]

one other thing.

Say my IP is 64.155.58.12
I want to always allow 64.55.x.x to connect.

Would I enter the following?
tcp:in:d=22:s=64.155.0.0/16 ?

What's the correct format for the entry?

Thanks,
Chew

[bamasbest]

Don't forget...

If you have APF installed, you should install Brute Force Protection (BFD) from the same vendor. This script will automatically update/deny the IP's of the kiddies running the hack attempts.

[deanstev]

I have the exact same problem - happening loads over the last few weeks - I don't have APF, just a plain old miniserver at memset.. what can I do to stop it?

Any ideas gratefully received.


Regards,
Dean

[sjackson909]

If you can't use firewall rules to block out connections, you can block on username also. Add this line to your sshd_config.

AllowUsers user1,user2

Only add users you want to connect.

Thanks
-Seth

[AbeFroman]

Or, if you have APF, you could simply only allow access to port 22 from your IP address or range using the /etc/apf/allow_hosts.rules and deny_hosts.rules

How do you do this in APF? What is the syntax? Does it only restict it user root or all users?

[sjackson909]

How do you do this in APF? What is the syntax? Does it only restict it user root or all users?

You don't filter on user name in APF, just on bits. edit your sshd_config to filter based on username.

Thanks
-Seth

[xsenses]

I was getting hit for about 2 weeks and then I simply changed the SSH port and closed 22 with APF and all went quiet.

[AbeFroman]

How do you close a port with APF?

[AbeFroman]

You don't filter on user name in APF, just on bits.
-Seth

What do you mean but "just on bits"?

[SonServers]

AllowUsers user1,user2

Only add users you want to connect.

Let's say you allow "user1" but not root. If you login as "user1" will SSH still allow you to SU to root (assuming "user1" is in the wheel group)?

[sjackson909]

Let's say you allow "user1" but not root. If you login as "user1" will SSH still allow you to SU to root (assuming "user1" is in the wheel group)?

yep, ssh is just the tranport to get you to the shell. AbeFroman, I know not one thing about APF.. I use ipfw on FreeBSD. No linux for me.

Thanks
-Seth

[chirpy]

TBH, I find it simpler to move SSH to a different port (just modify /etc/ssh/sshd_config and restart sshd). It won't stop port range scanners, but it will bounce the skiddie scripts like the one currently doing the rounds.