I'm Running Red Hat9 as File/Print Server and also as a router to my network here. I'm also running PUTTY so that I can log in as Root from the internal network. My firewall is IPTABLES Rules. Since this machine is connected to the Internet, if I look into /var/log/secure I see that there are a lot of "hackers" trying to get into this server.
I would like to set up security so if the person (hackers) can not log in within three attempts, they are "locked out" from trying over and over. I believe Windows servers do this.
I am somewhat of a newbie to Linux. I haven't touched this server for a while (it just keeps working without any problems -- if it's not broken don't fix it).
Firstly I suspect the log in error messages you are receiving are from an OpenSSH connection running on port 22, which is controlled by the SSHD daemon. If they are not and instead are connections using a Telnet daemon, then stop reading this now and go and disable it: Telnet is a clear text protocol that is not a secure way to administer your system. It is easy for an attacker to sniff your username and password when you sign in. You should be using a secure connection such as that provided by OpenSSH.
The fastest way to mitigate this issue is to only bind your SSHD daemon to the IP address on your internal network interface. This will mean that you can only connect through this connection via the internal network -- not from the Internet. You should only provide an open OpenSSH port on your Internet interface if you absolutely require Internet facing access to this host. If you do require this access, then read on for additional security precautions you can take with your SSH connections by editing your SSHD configuration file.
To disable the SSHD daemon on your Internet-facing interface, you need to edit the sshd_config file. On a Red Hat system this file is located in the /etc/ssh directory. You need to edit or add a directive in this file to only bind sshd to a particular IP address when it is started. The directive required is:
ListenAddress <ip address>
Replace the <ip address> with the IP address of your internal network interface and then restart your sshd daemon. You can confirm this has worked by checking what ports are open on your interfaces using the "nmap" or "netstat" commands. Another way to stop this access would be to use an iptables rule to disable ssh access on your Internet facing IP address.
There are quite a few other ways you can further secure your SSHD and SSH connections. I recommend reading the sshd_config man page (type: man sshd_config) for further information. The particular directives you might be interested in are the AllowUsers, AllowGroups, DenyUsers, DenyGroups and especially the MaxAuthTries directive. Lastly, I recommend that you do not use the root user to log in to your system directly (see the PermitRootLogin directive for how to disable this). You should log in as a normal user and then use the "su" command to change to the root user -- or even better, use a tool like sudo instead of using the root user to administer your system.
This was first published in July 2005