bash: Blocking user after several unsuccessful tries to login

Question

I have a problem.

Someone tries to get into my server, and it happens too often. For example:

Aug 19 14:11:42 oplot sshd[18373]: input_userauth_request: invalid user oracle
Aug 19 14:11:42 oplot sshd[18372]: pam_unix(sshd:auth): check pass; user unknown
Aug 19 14:11:42 oplot sshd[18372]: pam_unix(sshd:auth): authentication failure;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=211.38.137.44 
Aug 19 14:11:44 oplot sshd[18372]: Failed password for invalid user oracle from
    211.38.137.44 port 36 841 ssh2
Aug 19 14:11:45 oplot sshd[18373]: Received disconnect from 211.38.137.44: 11:
    Bye Bye
Aug 19 14:11:47 oplot sshd[18374]: Invalid user test from 211.38.137.44
Aug 19 14:11:47 oplot sshd[18375]: input_userauth_request: invalid user test
Aug 19 14:11:47 oplot sshd[18374]: pam_unix(sshd:auth): check pass; user unknown
Aug 19 14:11:47 oplot sshd[18374]: pam_unix(sshd:auth): authentication failure;
    logname= uid=0 euid=0  tty=ssh ruser= rhost=211.38.137.44

And also this one

Aug 19 14:58:51 oplot sshd[19543]: Failed password for root from 202.117.56.29
    port 43025 ssh2
Aug 19 14:58:52 oplot sshd[19544]: Received disconnect from 202.117.56.29: 11:
    Bye Bye
Aug 19 14:58:55 oplot sshd[19546]: reverse mapping checking getaddrinfo for
    56h29.xjtu.edu.cn [202.117.56.29] failed - POSSIBLE BREAK-IN ATTEMPT!

Can you please explain to me what "reverse mapping checking getaddrinfo" means?

And how can I block IPs after several such attempts?

Answer 1

fail2ban is a popular way to block lots of false ssh login attempts. I would advise you focus on stopping people from hammering your ssh port instead of worrying about bad reverse DNS lookups.

Answer 2

What ssh calls "possible break-in attempt" is just a signal that the address in question is wrongly configured. You can check:

~% host 202.117.56.29
29.56.117.202.in-addr.arpa domain name pointer 56h29.xjtu.edu.cn.
~% host 56h29.xjtu.edu.cn
Host 56h29.xjtu.edu.cn not found: 3(NXDOMAIN)

DNS PTR records are sort of a security issue, because there is absolutely nothing that keeps you from telling that your address hostname is anything you want, even "google.com" or "nsa.gov". So, SSH does this extra check to ensure that there is a correct bidirectional relation between address and hostname.

Don't try to block multiple attempts without first protecting your SSH service port. You should consider disabling the SSH service, or at least firewalling it. If you can't firewall it, try using a port-knocking solution to hide it from random attacks. Also, disable password authentication and force everyone to use public key authentication.

Answer 3

Check out DenyHost. It is a great way to ban IPs that tries to brute-force SSH logins. You also benefit from a shared blocklist of IPs that attempted the stunt on other hosts worldwide.

If you prefer a more lightweight solution, you can use iptables to block repeated attempts at ssh. Assuming you already have your iptables rules set up with a default DROP policy and allow only specific ports, the following rule will opep up port 22 (ssh) such that it will temporarily block SSH connections from a specific IPs once there are more than 3 connections per minute:

iptables -A INPUT -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name inputssh -p tcp --dport 22 -j ACCEPT

Note that this will also stop successful logins if they exceed the frequency threshold so you'll have to choose an appropriate value.

For more information, you could try "man iptables" or "iptables -m hashlimit --help". Also, googling for "iptables tutorial" and "iptables hashlimit" should provide a good starting point if you are unfamiliar with iptables.