Is there a better way to handle this situation?

I'm running slackware/current behind a firewall (iptables based) with access
to all ports denied (closed) except port 22 (ssh).

In /etc/hosts.allow I have port 22 open to the world as I never know in
advance where people (including me) will be accessing from. This is a
problem.

Over the past few weeks I've been getting several hits from a group of ip
addresses that are attempts to log in. So far so good, it appears. These
attempts are multiple tries with different user names from the same ip
addresses which leads me to believe it is not a random error but a serious
attempt to gain access. The "attacks" last from 3 to 5 minutes.

The attacks mostly are from the far east, but one from the Netherlands.

What I've been doing is entering the ip block in my blacklist and having my
firewall drop all packets from these addresses. e.g.:

211.250.34.0/24
220.70.167.0/24
200.135.11.0/24
211.221.238.0/24
194.149.239.0/24
194.149.238.0/24
66.10.227.0/24
218.234.75.0/24
210.22.184.0/24

The drop is bidirectional.

Root logins over ssh are denied. Which poses the question: Is there a way
to allow access from only certain users?

I've reviewed my passwords and determined they are sufficiently arcane to
prevent someone from actually hitting the correct combination by chance.

Any comments welcome.

Rinaldi
--
If you cannot convince them, confuse them.
-- Harry S Truman

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rinaldi J. Montessi wrote:

> I'm running slackware/current behind a firewall (iptables based) with
> access to all ports denied (closed) except port 22 (ssh).
>
> In /etc/hosts.allow I have port 22 open to the world as I never know in
> advance where people (including me) will be accessing from. This is a
> problem.
>
> Over the past few weeks I've been getting several hits from a group of ip
> addresses that are attempts to log in. So far so good, it appears. These
> attempts are multiple tries with different user names from the same ip
> addresses which leads me to believe it is not a random error but a serious
> attempt to gain access. The "attacks" last from 3 to 5 minutes.

Have you considered port knocking?

http://www.linuxjournal.com/article/6811

I haven't tried it myself, but it seems like a good solution for your needs.

Blumf

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBrJOEMid3IcxolsoRAiSGAJ92mVBVgIXFYSDeZIW/fxE7S0OLpACfS+2a
PQ+cw8M2Np4VDLYGOTq6oS4=
=ELXl
-----END PGP SIGNATURE-----

Rinaldi J. Montessi wrote:
> In /etc/hosts.allow I have port 22 open to the world as I never know in
> advance where people (including me) will be accessing from. This is a
> problem.

My friend had the same situation. It's "normal".

> Root logins over ssh are denied. Which poses the question: Is there a way
> to allow access from only certain users?

It's simple. Look:

16:35[root@dziala:~]# grep AllowUsers /etc/ssh/sshd_config
AllowUsers mariuszj@host-one.world.ea
AllowUsers mariuszj@host-two.world.ea
AllowUsers *@192.168.20.1

..ea means Earth ;-)
Last line for everyone from local network.

Cheers
mj

Rinaldi J. Montessi wrote:

> Root logins over ssh are denied. Which poses the question: Is there
> a way to allow access from only certain users?

"AllowGroups" in sshd_config. My own systems permit access only by
"human" users, via "AllowGroups users", but you might want to restrict
that even further by creating a special group for access via ssh, and
listing only that group in the AllowGroups statement.

The sshd_config manual page has details.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

On Tue, 30 Nov 2004 16:35:31 +0100, mj wrote:

> It's simple. Look:
>
> 16:35[root@dziala:~]# grep AllowUsers /etc/ssh/sshd_config

Thanks. Exactly what I was looking for.

Rinaldi
--
"You can do this in a number of ways. IBM chose to do all of them.
Why do you find that funny?"
-- D. Taylor, Computer Science 350

Rinaldi J. Montessi wrote:
> Is there a better way to handle this situation?
>
> I'm running slackware/current behind a firewall (iptables based) with access
> to all ports denied (closed) except port 22 (ssh).

Another change that helps is to run ssh on an arbitrary port, instead of
22. You have 65535 to choose from... Just change 'Port 22' in
/etc/ssh/sshd_config and restart.

exlt wrote:

> Another change that helps is to run ssh on an arbitrary port, instead of
> 22. You have 65535 to choose from... Just change 'Port 22' in
> /etc/ssh/sshd_config and restart.

I'm curious to know how you feel this addresses the original poster's
request ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, Sylvain Robitaille dared to utter,
> I'm curious to know how you feel this addresses the original poster's
> request ...

These attacks are a non-interactive attempt to log in, basically a
script kiddy's idea of brute forcing ssh. I doubt the script does a
port scan, then reads headers on each found port to determine what port
ssh is running on. 10 to 1 if it gets a refused connection on port 22
it doesn't bother with anything else.

I should know as I see the exact same thing on my FreeBSD box.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBrMrFlKR45I6cfKARAsWxAKCMUn4Asn3Pcs/7ToeuhpqO0igMFQCfcTi8
wlcYzqDEbyT8XVC+rRgpeTk=
=6GfK
-----END PGP SIGNATURE-----

On Tue, 30 Nov 2004 18:13:03 GMT, exlt wrote:

> Another change that helps is to run ssh on an arbitrary port, instead of
> 22. You have 65535 to choose from... Just change 'Port 22' in
> /etc/ssh/sshd_config and restart.

Thank you. I just checked, and for those times we have to use PuTTY on a
windows box, a different port can be specified on the command line.

Life is good :-)

Rinaldi
--
People will accept your ideas much more readily if you tell them that
Benjamin Franklin said it first.

Rinaldi J. Montessi wrote:

> Root logins over ssh are denied. Which poses the question: Is there a
> way to allow access from only certain users?

I have a setting in my /etc/ssh/sshd_config that lets only specified users
in: AllowUsers user1 user2 user3
where userX is the different allowed users

i also have the ssh port on a different port for added security. you
shouldn't have a problem unless the cracker can figure out a login/pass
combo. but like you said, the passwords you have should be too difficult
to guess

regards,
--
lucas
-------------------------
Perl Coder since 2001
shift || die;
-------------------------