Re: [tlug] Blocking bad sshd bruteforce attempt

["Birkir A. Barkarson" <birkirb@example.com>]

Hung Vu Nguyen wrote:
> Hi all,
>
> I have openssh 3.7p1 running  on port 22 in Debian ( quite old
> version). The kernel is 2.4.30 with openwall patched. I also have
> logwatch and logcheck running and they send me security report
> everyday.
>
> > From logcheck:
>
> Security Events
> =-=-=-=-=-=-=-=
> Jul 11 07:02:05 aoclife sshd[24861]: Illegal user sysadmin from 202.158.162.53
> Jul 11 07:02:05 aoclife sshd[24861]: Failed password for illegal user
> sysadmin from 202.158.162.53 port 37391 ssh2
> Jul 11 07:02:05 aoclife sshd[24902]: Illegal user sysadmin from 202.158.162.53
>
> I don't worry about that because 'he' is just bruteforcing me. My sshd
> is secured /etc/hosts.allow .
>
> And from logwatch:
>
>   hidekazu/password from 211.96.27.90: 1 Time(s)
>   hirofumi/password from 211.96.27.90: 1 Time(s)
>   hirohisa/password from 211.96.27.90: 1 Time(s)
>   hirokazu/password from 211.96.27.90: 1 Time(s)
>   hiroshi/password from 211.96.27.90: 1 Time(s)
>   hisashi/password from 211.96.27.90: 1 Time(s)
>   hitoshi/password from 211.96.27.90: 1 Time(s)
>
> japanese usernames :D. Because my server is running an DDNS with .jp
> in the end so I think that it is not an automated bruteforce attempt.
> And I want to block such kind of attempt *automatically*. If we can
> block those IPs with iptables -j REJECT, then the log will be much
> cleaner ( 250KB each time is so annoying ).
>
> I remember that someone in TLUG has posted a ruby (?) script to the
> list but I couldn't find the post in the archives.
>
> Please share your ideas.

I run SSHD on a port in the 2000 range, haven't had a single 
unauthorized login attempt since I put the system up around Nov last 
year.  Figure it's always good to stay away from the defaults if you 
can.  (Security through obscurity perhaps)

BAB