Automatic SSH Blocking

We are currently in the process of migrating our HOWTO articles to a new CCIS Knowledgebase. The content of this page has been moved to the following KB article:

KB0012110: Automatic SSH Blocking

Click here to expand the deprecated HOWTO page

Global network access

Because the CCIS Community is a global one, with students and faculty hailing from and traveling all over the world, the College has chosen to make many of our systems available from off-campus without restriction. An unfortunate side effect of this is that many of these systems are the focus of constant automated intrusion attempts by those who would like to make illegitimate use of the College’s resources to further their own ends.

In order to balance the remote access needs of the College community with the security necessary to provide useful (eg: safe, secure) services, the Systems group has implemented various security measures designed to detect and block these remote attackers. One such measure is a system which tracks failed ssh logins, and temporarily bans IP addresses from further connection attempts after they have exceeded a certain threshold for failed logins.

Lockout Thresholds

The system we use tracks authentication failures for four separate categories of accounts. Those categories are:

  • Invalid Accounts: Accounts which don’t exist on the system at all. If someone tries to log in as an invalid account then they’re either an attacker guessing random account names or the holder of a legitimate CCIS account who has misremembered his or her account name.
  • Valid Accounts: These are accounts which exist on the system. An authentication failure to one of these is presumably either from an attacker guessing passwords or the holder of a legitimate CCIS account who has misremembered his or her password.
  • Root Account: Use of the “root” or Super User account is restricted to members of the Systems group only. No one else should be attempting to log in as this account.
  • Restricted Accounts: Valid accounts on a special list which (eg: Due to their sensitivity) have a much lower authentication failure threshold (allowed number of failed logins) before a block is initiated. We do not currently use this setting for student or faculty accounts.

For each category of account, a certain number of failed authentication attempts from any given remote host are allowed before said host is blocked. The duration of the block is contingent on the rule that was triggered (eg: Valid, Invalid, etc). The rules currently in places are:

  • Invalid accounts: After 5 failed login attempts an IP address is banned for 10 days.
  • Valid accounts: After 10 failed login attempts an IP address is banned for 5 days
  • Root account: There are restrictions in place to prevent people from logging in as the root user
  • Restricted accounts: We do not currently use this feature for any non-staff accounts

While this system works well to help protect our systems from attackers, it can also lead to people unintentionally locking themselves out of a given machine (eg: if they misremember their login name or passphrase).

Accidental Lockouts

If you believe you may have accidentally locked yourself out, please read the following notes carefully:

  1. Blocks are implemented on per-host basis. ie: If you lock yourself out of login, that doesn’t affect your ability to access lab machines like bubbles or bumpnjump. Similarly, if you lock yourself out of a lab machine like bubbles, that doesn’t affect your ability to access other lab machines (like bumpnjump) or login.
  2. Blocks are implemented for ssh only. ie: Getting blocked from ssh on login will not affect your ability to browse https://my.ccs.neu.edu, or your ability to access any other CCIS resources.
  3. Blocks are by ip address. They are not by account. This often manifests as an ability to ssh from some network locations, but not others.

The implications of the above points are as follows:

  1. If you think you’ve been blocked on a specific host, the fastest and easiest way to get back up and running is to try another host.* More information on publicly accessible hosts is available on our Linux at CCIS page.
  2. Changing your password will NOT undo a block on your IP address.

*: Note that anything that you can do on one CCIS Linux host you can do on another CCIS Linux host. And you can always ssh from one CCIS Linux host to another (eg: if you need to reconnect to a long running process).

If necessary, we can check to see if your IP address is blocked on a given host (and potentially unblock it*), but we’ll need your public IP address. ie: The IP address that we (and the rest of the world) see on inbound requests from your computer. Due to Network Address Translation (common on many home and business networks) and other similar technologies, this may or may not be the IP address your computer sees itself as having.

In order to check your public IP address, use a site such as http://checkip.dyndns.com/, http://www.checkip.org/, or http://www.whatismyip.com/ to determine your public IP, then please mail your IP to systems@ccs.neu.edu, with a request that we check to see if it has been blocked from a given ssh server (eg: login.ccs.neu.edu).

*: Note, because you can easily switch from using one ssh server to another, and because blocks will automatically be expired within 24 hours, we generally only unblock IP addresses for special and extreme cases. As noted above: If you think you’ve locked yourself, please just use another machine!

Comments on this entry are closed.