如何设置sshd或者iptables，对攻击者的IP地址不响应？

[giveup]

这是昨晚的ssh攻击记录节选。

代码： 全选

     1	Nov 24 02:05:07 LinuxRouter sshd[6999]: Failed password for invalid user root from 203.98.181.132 port 37292 ssh2
     2	Nov 24 02:05:10 LinuxRouter sshd[7001]: Failed password for invalid user root from 203.98.181.132 port 37975 ssh2
     3	Nov 24 02:05:13 LinuxRouter sshd[7003]: Failed password for invalid user root from 203.98.181.132 port 38634 ssh2
     4	Nov 24 02:05:16 LinuxRouter sshd[7005]: Failed password for invalid user root from 203.98.181.132 port 39182 ssh2
     5	Nov 24 02:05:20 LinuxRouter sshd[7007]: Failed password for invalid user root from 203.98.181.132 port 39752 ssh2
     6	Nov 24 02:05:23 LinuxRouter sshd[7009]: Failed password for invalid user root from 203.98.181.132 port 40437 ssh2
     7	Nov 24 02:05:26 LinuxRouter sshd[7011]: Failed password for invalid user root from 203.98.181.132 port 41013 ssh2
     8	Nov 24 02:05:29 LinuxRouter sshd[7013]: Failed password for invalid user root from 203.98.181.132 port 41527 ssh2
     9	Nov 24 02:05:33 LinuxRouter sshd[7015]: Failed password for invalid user root from 203.98.181.132 port 42107 ssh2
    10	Nov 24 02:05:36 LinuxRouter sshd[7017]: Failed password for invalid user root from 203.98.181.132 port 42759 ssh2
    11	Nov 24 02:05:42 LinuxRouter sshd[7019]: Failed password for invalid user root from 203.98.181.132 port 43285 ssh2
    12	Nov 24 02:05:45 LinuxRouter sshd[7021]: Failed password for invalid user root from 203.98.181.132 port 44382 ssh2
....
  3111	Nov 24 06:47:57 LinuxRouter sshd[13348]: Failed password for invalid user root from 203.98.181.132 port 8795 ssh2
  3112	Nov 24 06:48:00 LinuxRouter sshd[13350]: Failed password for invalid user root from 203.98.181.132 port 9345 ssh2
  3113	Nov 24 07:23:21 LinuxRouter sshd[13491]: Failed password for invalid user root from 222.33.200.210 port 42962 ssh2
  3114	Nov 24 07:23:24 LinuxRouter sshd[13493]: Failed password for invalid user root from 222.33.200.210 port 38134 ssh2
....
  3772	Nov 24 07:52:05 LinuxRouter sshd[14827]: Failed password for invalid user root from 222.33.200.210 port 41254 ssh2
  3773	Nov 24 07:52:08 LinuxRouter sshd[14829]: Failed password for invalid user root from 222.33.200.210 port 41611 ssh2
  3774	Nov 24 07:52:11 LinuxRouter sshd[14831]: Failed password for invalid user root from 222.33.200.210 port 42083 ssh2
  3775	Nov 24 07:52:13 LinuxRouter sshd[14833]: Failed password for invalid user root from 222.33.200.210 port 42511 ssh2
  3776	Nov 24 07:55:14 LinuxRouter sshd[14835]: Failed password for invalid user root from 61.168.227.12 port 54702 ssh2
  3777	Nov 24 07:55:16 LinuxRouter sshd[14837]: Failed password for invalid user root from 61.168.227.12 port 55710 ssh2
....
  4072	Nov 24 08:08:09 LinuxRouter sshd[15427]: Failed password for invalid user root from 61.168.227.12 port 40978 ssh2
  4073	Nov 24 08:08:11 LinuxRouter sshd[15429]: Failed password for invalid user root from 61.168.227.12 port 41393 ssh2
  4074	Nov 24 08:08:14 LinuxRouter sshd[15431]: Failed password for invalid user dasusr1 from 61.168.227.12 port 41764 ssh2
  4075	Nov 24 08:08:16 LinuxRouter sshd[15433]: Failed password for invalid user install from 61.168.227.12 port 42240 ssh2
  4076	Nov 24 08:23:22 LinuxRouter sshd[15667]: Failed password for invalid user PlcmSpIp from 203.126.53.110 port 59545 ssh2
  4077	Nov 24 08:23:25 LinuxRouter sshd[15669]: Failed password for invalid user plcmspip from 203.126.53.110 port 60371 ssh2
  4078	Nov 24 08:23:27 LinuxRouter sshd[15671]: Failed password for invalid user plcmspip from 203.126.53.110 port 33000 ssh2
  4079	Nov 24 08:23:30 LinuxRouter sshd[15673]: Failed password for invalid user db2inst1 from 203.126.53.110 port 33797 ssh2

203.98.181.132这个IP地址攻击了3112次，其它的IP也攻击了几百次。
根据man sshd，我在sshd_config中配置了MaxStartups 3:50:6，但是我希望的效果是同一IP地址3次尝试失败，自动停止响应该IP15分钟。尽管这样会导致拒绝服务。这应该怎样设置才能实现呢？

[hasee.wu]

防火墙脚本,佛珠老太写的,很给力:
viewtopic.php?f=166&t=302640&hilit=ssh

[giveup]

防火墙脚本,佛珠老太写的,很给力:
viewtopic.php?f=166&t=302640&hilit=ssh

脚本不错。有借鉴意义。只是不能自动添加和删除IP。
我印象中在ubuntu 9.10时sshd有这个功能，似乎安装一个john或者crack之类的，同一IP密码验证失败3次后就在一定时间内对这个IP不再响应。

现在处理办法就是用cron脚本，从晚上2点到早上7点停止和启动sshd服务。这段时间就算是睡觉了。

[eexpress]

ConnectionAttempts ?

[hasee.wu]

1. 改ssh默认端口,做其它处理,让攻击者误认为你的系统是windows,这一点主要是针对那些对全网扫端口的攻击者
2. 和ubuntu桌面一样,让系统本身不启用root , 攻击者不清楚你的用户名,门都找不到,debian类发行版不启用root,　用sudo的好处在这里就太明显了,把你的用户名搞复杂一点点就行.
3.ssh设置中禁止root登录, PermitRootLogin no ,　效果同上,双保险
4. 改用证书登录后,再禁止普通密码登录,PasswordAuthentication no,　由于证书的位数远比采用密码的长,加上第2第3点,攻击者不清楚你的用户名,己经很安全了,唯一要保管好的,就是私钥,私钥生成时,别忘了设置密码短语,这样就算别人搞到了你的私钥,破解密码短语也要费很大的劲.
４再在以上基础上配下放火墙,　ssh并发数什么的.


再回过头来看,　99.99%的攻击都是尝试用root登录,　root帐号都没开启,完全可以不当回事.　少数试图用其它用户名登录的攻击,其采用的用户名就显得可笑.　只要你用户名不要太弱智,他猜中你用户名的可能性很小,他猜中后再穷举你证书并成功的可能性基本上没有. 生成证书时,可以用更长的设定:　-b 4096

个人感觉linux的网络安全方面,总比windows来得简单放心. win太复杂了,　一般人玩不了.

[hasee.wu]

ConnectionAttempts ?

This forces an attacker to probe your computer slowly, so it might take weeks or months to guess your password.



But it also allows an attacker to stop anybody from logging in, by flooding the server with bogus connection attempts.

[giveup]

感谢！我的想法是，SSHD从同一IP地址尝试3次错误，SSH就拒绝该IP地址访问10分钟。这两天网络太疯狂了，连白天都不放过。当然，目前还没有尝试成功的。

[hasee.wu]

某自从把ssh默认的端口从22 改为8080后，世界就清静了。

[oceanwave]

楼主,像你的这个情况,建议安装 denyhosts
sudo apt-get denyhosts

然后再稍微调整一下denyhosts配置即可.
sudo nano /etc/denyhosts.conf

这样一来,就可以自动地把攻击者的ip给封禁了. 封禁多久,你自己可以设置.

[giveup]

楼主,像你的这个情况,建议安装 denyhosts
sudo apt-get denyhosts

然后再稍微调整一下denyhosts配置即可.
sudo nano /etc/denyhosts.conf

这样一来,就可以自动地把攻击者的ip给封禁了. 封禁多久,你自己可以设置.

感谢！
回头试一下。当然，这么多天来还没有CRACK尝试成功的。

[link_01]

fail2ban,好像是这么拼，你懂的。

[bomel]

[bash]
sudo iptables -I INPUT -s 203.98.181.132 -j DROP
[/bash]

[giveup]

fail2ban,好像是这么拼，你懂的。

Yes.

sudo apt-get install fail2ban

默认打开ssh过滤。可以修改配置文件：/etc/fail2ban/jail.conf 增加其它。正是我所需要的东西。