[Linux] : How to stop automated bot based SSH attacks ?

Updated on September 3, 2017

I’ve seen many a times in my LogWatch report about “Refused incoming connections” from a number of IP’s. These are may be hackers or automated bots who try to hack my server. How do I stop such attacks on my server ? You can do this in 2 ways : One blocking in the firewall and other one as below :

Setting Up “hosts.allow” and “hosts.deny” : These acts as simple firewall too

TCP-wrapped Services reference the following two files for host access control facility.

/etc/hosts.allow
/etc/hosts.deny

When a client request is received by a TCP wrapped service like SSH, it takes the following the below order :

1. References /etc/hosts.allow : Sequentially parses the /etc/hosts.allow file and applies the first rule specified for the corresponding service. This contains entries of hosts which are allowed to connect to the service. If it finds a matching rule, it allows the connection. If not, it moves on to the next step 2.

2. References /etc/hosts.deny : Sequentially parses the /etc/hosts.deny file. This contains entries of hosts which are blocked. If it finds a matching rule, it denies the connection. If not, access to the service is granted.

Consider scenario of allowing connections only from 192.168.0.x and deny all other. Firstly allow access by placing the following inside /etc/hosts.allow :

sshd: 192.168.0.* : allow

Then disallow all further access by placing this in /etc/hosts.deny :

sshd: ALL

For more TCP Wrappers Configuration visit here.

Was this article helpful?

Related Articles

Leave a Comment