Article
4382
Checking the Log File for Invalid SSH Connection Attempts
Problem:
Many attempts to connect to SSH are done, polluting the log files.
Solution:
If you have an open SSH connection, you will notice a lot of people will try to log into your system. Just do the following as root in a terminal to see if you have an issue:
grep "Invalid user" /var/log/messages
To see how often the 25 most offensive IP addresses try, do the
following:
grep "Invalid user" /var/log/messages|awk '{print $NF}' | \
sort|uniq -c|sort -nr|head -n 25Most likely there will be tens if not hundreds of attempts. Even if your
SUSE system is safe, it clutters the log file. There are some things you
can do to make this better.
- Decide if you really need SSH (or any other service) and turn it off
in YaST, System, System Services if you are sure that you don't need it. - See that only SSH protocol 2 is selected by editing
/etc/ssh/sshd_config as follows:#Protocol 2,1 Protocol 2
and restart the ssh service with 'rcsshd restart'.
This will not block the attacks. For that you need another program. A
very good one is http://www.aczoom.com/cms/blockhosts/
First download the RPM
http://www.aczoom.com/tools/blockhosts/
BlockHosts-1.0.4-1.noarch.rpm and
install it with 'rpm -Uvh BlockHosts-1.0.4-1.noarch.rpm'
Next you can have a look at /etc/blockhosts.cfg if you want to edit
anything there.
The most important is to edit /etc/hosts.allow where you will need to
add three parts. The things you allow, the part for BlockHost and the
command to run BlockHost.
The first part are servers that you will absolutely need to have access
from and that can't be blocked by accident or error. Those are machines
you trust. An example:
# permanent whitelist addresses - these should always be allowed access ALL: 127.0.0.1 : allow ALL: 192.168. : allow ALL: 10. : allow ALL: 195.144.64.175 : allow
Next is the part that will be edited by BlockHosts and is simply the
following, including the comments.
#---- BlockHosts Additions #---- BlockHosts Additions
Next line that will call the script each time SSH is called for:
SSHd: ALL: spawn /usr/bin/blockhosts.py & : allow
More information on the configuration can be found at:
- /usr/share/doc/BlockHosts-1.0.4/blockhosts.html
- /usr/share/doc/BlockHosts-1.0.4/INSTALL
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 4382 reads
0