Banning “problem countries” from your Linux server

It’s not a secret that these days most server hacking attempts originate from chinese IP addresses. A lot of attempts originate from other countries like South Korea and Indonesia as well. It seems that in those countries (cyber-)law-enforcement and technological advancement don’t correlate. I agree that a server has to be able to sustain non-flooding attacks just by using a proper and secure server configuration. But what if almost all traffic from those countries are automated vulnerability scans? The hackers permanently check for known holes in your web server and web applications, open mail relays, brute-force attack FTP and SSH services and so on. The trade off in blocking whole IP ranges from those countries is that you’re going to block some genuine requests too which could be seen as some kind of information technology racism, a term I just invented today :-)

If you’re a Linux administrator who favours banning hacker-traffic, you may want to have a look at T. Tsujikawa’s KRFILTER page. He offers various IP address lists to prevent certain asian countries from accessing your server using iptables.

Securing SSH from brute-force attacks

An easy way to prevent brute-force attacks on your SSH service is to temporarily drop the route from the connecting host after a defined number of connection attempts in a certain timeframe. Be careful however if you have a lot of users accessing your server using SSH, as users tend to mistype or forget their passwords. The solution doesn’t really prevent brute-force attacks but it slows them down to a speed where the chance of hitting a password is very low (as long as you use secure passwords that is). It can’t and won’t differentiate between valid and invalid connection attempts.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

Don’t allow ssh using root

Oh, and one more thing: don’t ever allow root to remotely access your server. Most brute-force SSH (and FTP) hacking attempts try to gain access using root. In sshd_config set PermitRootLogin to no. From now on you have to ssh into your server using some other user with less privileges and once you logged in, type su and switch to root.