SecureCRT is a great SSH and telnet terminal client. It’s not free, but for the price, it’s well worth it. It handles ssh2 very nicely, and has a username system that’s better than PuTTY, in my opinion.
The only thing that I don’t like about it is that it makes a little beep by default when you hit certain keys; For example, if you type cd somedir and hit tab, it’ll autofill what it can (the functionality actually comes from the Linux shell), however, if it can’t complete a filename because there are two similar ones, it’ll play a little beep. As with another post of mine, little beeps for things are extremely annoying when I’m wearing headphones, so here’s how to remove the beep in SecureCRT version 3.3 (I realize this is an old version, but I’ve never needed to upgrade):
Go to Options -> Session Options. Click on “Options”, uncheck the “Audio Bell”.
This will remove that little beep in most situations.
Over the past week, there have been 10 separate attempts to do a brute force attack on my server. Each day, I’d check my logs and manually ban the IP address responsible for the attempted crack. They’ve been attempting to break in through SSH and FTP.
While they didn’t succeed in breaking in, they did succeed in slowing down the server to the point that it was unresponsive for a few minutes during each attack.
Fortunately, IPTables has a cool feature that checks for recent connections. You tell it how many connection attempts from a particular IP address for a length of time, and if that amount succeeds, that IP address is banned for the specified amount of time.
It consists of 2 easy commands. The first one sets up the recent table:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
In this case, it’s looking for connections on port 22 (SSH). Do the same for any other port that you want to limit like this such as your ftp ports.
The next command tells it to drop packets that exceed your specifications:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
This tells iptables to drop the 3rd connection from a particular IP address if it happens within 60 seconds of the previous 2. You’ll probably want to set it a little harsher than that such as 3-5 minutes, or if you really want to be strict, set it for an hour or more. The downside is that the longer the timeframe, the greater chance that a legitimate person will get blocked because they mistyped their password a couple of times.
I’ve found that a range of 3-5 minutes is enough. My logs show a couple of attempts, 5 minutes later, a couple more, 5 minutes later a couple more. The rest are just dropped. My server doesn’t show down in the slightest with this kind of load, and I believe it’ll take the crackers a few hundred years to break a password at 2 attempts every 3-5 minutes.