3

I noticed recently that I have many login attempts, over 2 million and counting. This is surely a brute force attack.

How can I auto block ip for 15 minutes on root ssh access failure?

I don't need a firewall; just a small option to activate this security feature.

What do you suggest?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
TDSii
  • 1,675
  • 4
  • 20
  • 29

2 Answers2

5

I suggest using SSH keys and not using passwords at all. Even if you don't do that I recommend disabling SSH logins as root directly. Either way you won't have to worry about your problem. Remember that if you block IPs on failed login attempts then you'll have to worry about denial of service that can allow anyone to deny you access to your own machine if he's behind the same NAT as you, etc. Also any attacker worth his salt would just distribute the attack across many IPs anyway.

Zed
  • 3,387
  • 19
  • 14
  • We're having issues with this too. I'm more than likely going to change the SSH port to something other than 22 to thwart lazy attackers and script kiddies. Keep in mind that you should keep your SSH port below 1024 so that it is a ["privileged" port](http://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged) that can only be secured by root. – Alex W Apr 29 '15 at 14:30
5

fail2ban (works out of the box, and works quite nicely)

Damon
  • 67,688
  • 20
  • 135
  • 185
  • not an automatic solution, also i dont have any of the paths that his script uses /var/log/pwdfail /var/log/apache/error_log – TDSii Mar 22 '11 at 11:57
  • For ssh, /var/log/auth.log would be what you use, the others are "bonus material". Apart from ssh, fail2ban can also detect and block exploits on the webserver and some others (see documentation). It does run fully automatic, though of course you may have to configure it once to tell it what precisely you want it to check. – Damon Mar 22 '11 at 12:05