SSH slow after configuring TCP Wrappers

Question

We have SSH open on one of our production servers leaving it prone to various brute force attacks to break in. I reduced the attempts by changing the default port from 22.

I want to further harden security by allowing ssh login from a particular country domain .in only. For this I can configure /etc/hosts.deny or /etc/hosts.allow .

For hosts.allow, I have added the following entry

sshd: in

If I use hosts.deny, then my entry is like this

sshd: !in

After configuring any one of the above, I am noticing that it takes more time to connect to the ssh server.

With verbose it is showing hanging here for some time before providing the login attempt

ssh -vv  103.8.X.X
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 103.8.X.X [103.8.X.X] port 565.
debug1: Connection established.
debug1: identity file /home/amin/.ssh/id_rsa type -1
debug1: identity file /home/amin/.ssh/id_rsa-cert type -1
debug1: identity file /home/amin/.ssh/id_dsa type -1
debug1: identity file /home/amin/.ssh/id_dsa-cert type -1
debug1: identity file /home/amin/.ssh/id_ecdsa type -1
debug1: identity file /home/amin/.ssh/id_ecdsa-cert type -1  (<-- hangs here for arnd 30 secs)

It takes more time with putty , after setting rules for tcp wrappers.

Have you thought about blocking that port from IPtables to that country domain? — YoMismo, Jul 04 '14 at 09:40

Emil Vikström · Accepted Answer · 2014-07-04T09:50:56.683

Putting host names in hosts.allow or hosts.deny means the server must do a reverse DNS resolution to get the domain name for the IP address. This will affect login times if your name resolution system is slow or if some intermediary name server is slow to respond. It is faster to put the IP addresses ur subnets into the file instead, as is explained by man hosts.allow:

   The examples use host and domain names. They can be improved by includ‐
   ing address and/or network/netmask information, to reduce the impact of
   temporary name server lookup failures.

Another way to prevent bruteforce login attacks are to install a program called fail2ban. The program will keep track of failed login attempts and temporarily block the IP address after it fails too many times. This way you don't really need to block logins based on country anymore. Allowing only three or four failed login attempts per hour will make a bruteforce attack impossible even for large botnets.

Although not quite "impossible" and more "not viable" -- chances are the botnet controller will note the vastly reduced response rate, deduce that there's a firewall blocking him and go look for a better target. — Shadur, Jul 04 '14 at 10:23
Well, there's always the possibility that a bruteforce attack gets it right on the first try... But even a botnet with ten million machines would only be able to try 11k passwords per second with a one hour ban after four failed attempts. I won't include the math but a lowercase a-z password with 12 chars would still take 140k years on average. — Emil Vikström, Jul 04 '14 at 10:57

SSH slow after configuring TCP Wrappers

1 Answers1