Novell Home

Checking the Log File for Invalid SSH Connection Attempts

Novell Cool Solutions: Tip
By houghi

Digg This - Slashdot This

Posted: 9 Nov 2006
 

Problem:

Many attempts to connect to SSH are done, polluting the log files.

Solution:

If you have an open SSH connection, you will notice a lot of people will try to log into your system. Just do the following as root in a terminal to see if you have an issue:

grep "Invalid user" /var/log/messages

To see how often the 25 most offensive IP addresses try, do the following:

grep "Invalid user" /var/log/messages|awk '{print $NF}' | \
sort|uniq -c|sort -nr|head -n 25

Most likely there will be tens if not hundreds of attempts. Even if your SUSE system is safe, it clutters the log file. There are some things you can do to make this better.

  1. Decide if you really need SSH (or any other service) and turn it off in YaST, System, System Services if you are sure that you don't need it.


  2. See that only SSH protocol 2 is selected by editing
    /etc/ssh/sshd_config as follows:
    #Protocol 2,1
    Protocol 2
    and restart the ssh service with 'rcsshd restart'.

This will not block the attacks. For that you need another program. A very good one is http://www.aczoom.com/cms/blockhosts/

First download the RPM http://www.aczoom.com/tools/blockhosts/BlockHosts-1.0.4-1.noarch.rpm and install it with 'rpm -Uvh BlockHosts-1.0.4-1.noarch.rpm'

Next you can have a look at /etc/blockhosts.cfg if you want to edit anything there.

The most important is to edit /etc/hosts.allow where you will need to add three parts. The things you allow, the part for BlockHost and the command to run BlockHost.

The first part are servers that you will absolutely need to have access from and that can't be blocked by accident or error. Those are machines you trust. An example:

# permanent whitelist addresses - these should always be allowed access
ALL: 127.0.0.1          : allow
ALL: 192.168.           : allow
ALL: 10.                : allow
ALL: 195.144.64.175     : allow

Next is the part that will be edited by BlockHosts and is simply the following, including the comments.

#---- BlockHosts Additions
#---- BlockHosts Additions

Next line that will call the script each time SSH is called for:

SSHd: ALL: spawn /usr/bin/blockhosts.py & : allow

More information on the configuration can be found at:

  • /usr/share/doc/BlockHosts-1.0.4/blockhosts.html
  • /usr/share/doc/BlockHosts-1.0.4/INSTALL


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell