NewInstance

After just one day that I am leaving my linux server online, I've detected intrusions checking logs (/var/log/auth.log). Here you find how an intrusion attempt looks like:

...
Aug 31 23:21:25 localhost sshd[4558]: User root not allowed because not listed in AllowUsers
Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118
Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118
Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118
Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118
Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118
Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118
Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118
Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118
Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118
Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118
Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:22:15 localhost sshd[4588]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118
Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118
Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:40 localhost sshd[4602]: User root not allowed because not listed in AllowUsers
...

I've already taken some precautions against this, but today I've checked further on sshd_config manual page to look if I can do more.
It would be really nice if sshd would be able to automatically black-list an IP address that fails for a given number of attempts.
I find it really strange it does not have this feature.

Anyway, in my previous post Security Paranoia I've already mentioned an option called MaxStartups. Man page say:

MaxStartups
Specifies the maximum number of concurrent unauthenticated connections
to the sshd daemon.
Additional connections will be dropped until authentication succeeds or 
the LoginGraceTime expires for a connection.  The default is 10.

Alternatively, random early drop can be enabled by specifying the three 
colon separated values ``start:rate:full'' (e.g., "10:30:60").  
sshd will refuse connection attempts with a probability
of ``rate/100'' (30%) if there are currently ``start'' (10) 
unauthenticated connections.  The probability increases linearly and 
all connection attempts are refused if the number of unauthenticated
connections reaches ``full'' (60).

Really explicative.
So I decided for this setting:

MaxStartups 1:100:1

I forgot to say that, after modifying the file /etc/ssh/sshd_config, you have to restart the ssh daemon with: /etc/init.d/ssh restart

Only one connection per time. After one (the first) unauthenticated connection, you have 100% probability to be disconnected, and the maximum unauthenticated connection allowed are 1. In other words: one try per time, and no more. So multithreaded bots, should have some more difficulties next time.

If someone knows how to tell sshd (or the firewall) to ban ip address after -let's say- 3 failed attempt, I would really appreciate.