SSH Brute Force Attack; Auto-Ban IP-Addresses

Question

Possible Duplicate:
Preventing brute force attacks against ssh?

We have approximately 20 internet connected virtual machines, and just noticed that hackers are trying to brute force SSH port 22. They are trying common usernames (root, mysql, admin) and dictionary attacks.

We know one counter-measure is to run SSH on a different port, but that is not an option (must run on 22). Also, we know that disallowing passwords (only public-keys) is another counter-measure, but again, we require the ability to use password authentication.

Is there a package that can ban/block an ip-address if it tries to SSH incorrectly X number of times in a given interval?

Would be optimal if it could block for say 12 hours if 5 incorrect logins in a span of 1 minute.

Thanks.

and http://serverfault.com/a/174962/50875 – gWaldo Jan 31 '12 at 02:54 — gWaldo, Jan 31 '12 at 02:54

score 3 · Answer 1 · answered Jan 31 '12 at 02:24

3

http://www.fail2ban.org/wiki/index.php/Main_Page
works for any log files, based on any phrases

answered Jan 31 '12 at 02:24

Niko S P

1,182
8
15

score 2 · Answer 2 · answered Jan 31 '12 at 02:18

2

http://denyhosts.sourceforge.net/

answered Jan 31 '12 at 02:18

chocripple

2,039
14
9

-1 for posting just a link. – John Gardeniers Jan 31 '12 at 03:28
My bad, noted :) – chocripple Jan 31 '12 at 04:19

score 0 · Answer 3 · answered Jan 31 '12 at 02:28

I use the CSF (ConfigServer Security & Firewall) scripts, which not only includes IP filtering, but also a plethora of other functionality. It integrates with IP Tables nicely. I run, manage, and configure it from the command line, but for folks who have cPanel, it can also be installed via WHM's GUI.

SSH Brute Force Attack; Auto-Ban IP-Addresses

3 Answers3