Silly Eion Things

I accidentally looked at my syslog messages on my home (Gentoo) Linux server and found that there were thousands of SSH connection attempts from all over the world: people trying to brute-force my root password. The worst bit was that it was filling up my logs and causing lots of things to die when the computer ran out of disk-space. It needed a bit of playing around to get this to stop, but in case you run across the same situation, I’ve documented what I did:

• Make sure you have the tcpd USE-flag on net-misc/openssh. If you don’t, the easiest way to add it is with the command echo "net-misc/openssh tcpd" >> /etc/portage/package.use
• Emerge fail2ban
• If you’re using syslog-ng, you need to configure it to log sshd logs to a different place (reduces load on the server) by adding the following lines to /etc/syslog-ng/syslog-ng.conf
  filter f_sshd {match('^sshd\[[0-9]+\]:'); };
destination sshd { file("/var/log/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); }
• Enable the ssh-tcpwrapper setting in /etc/fail2ban/jail.conf, checking that the logpath is pointing to your log file. It should end up looking something like
  
[ssh-tcpwrapper]
enabled = true
filter = sshd
action = hostsdeny
logpath = /var/log/sshd.log

• Set up the hosts allow/deny files (if you don’t have them) by pumping out the following commands to bash
  
touch /etc/hosts.allow
touch /etc/hosts.deny
chmod 644 /etc/hosts.allow
chmod 644 /etc/hosts.deny

• Reload syslog-ng /etc/init.d/syslog-ng reload, restart openssh /etc/init.d/sshd restart, and start fail2ban /etc/init.d/fail2ban start && rc-update add fail2ban default

That should do it. I also recommend disabling the root account and disabling password authentication in your /etc/ssh/sshd_config file.