15

I have a google compute engine VM, running ubuntu, and utilising Laravel Forge.

I seem to get blocked by the VM after accessing SSH a few times (2-4), even if I'm logging in correctly. Restarting the VM unblocks me.

I first noticed the issue as I was having trouble logging into SSH, after a few attempts it would become unreachable. My website hosted on it also wouldn't resolve. After restarting the vm, I could try log into ssh again and my website works. This happened a couple time before I figured out how to correctly log in with SSH.

Next, trying to log in to the database with HeidiSQL, which uses plink, I log in fine. But it seems to keep reconnecting via SSH every time I do something, and after 2-4 of these reconnects, I get the same problem with the VM being unreachable by SSH and my website hosted on it being down.

Using SQLyog, which seems to maintain the one SSH connection, rather than constantly reconnecting like HeidiSQL, I have no problems.

When my website is down, I use those "down for everyone or just me" websites to see if it is down, and apparently it's just down for me, so I must be getting blocked.

So I guess my questions are: 1. Is this normal? 2. Can I unblock myself without restarting the VM? 3. Can I make blocking occur in a less strict way? 4. Why does HeidiSQL keep reconnecting via SSH rather than maintaining the one connection like SQLyog seems to?

Rhangaun
  • 1,430
  • 2
  • 15
  • 34
Tesla
  • 793
  • 1
  • 10
  • 22

1 Answers1

24

You have encountered sshguard, which is enabled by default on the GCE Ubuntu images (at least on the 14.10 image, where I encountered it myself). There is a whitelist file at /etc/sshguard/whitelist.

The sshguard default configuration on my VM has a "dangerousness" threshold of 40. Most "attacks" that sshguard detects incur dangerousness of 10, so getting blocked after 4 reconnects sounds about right.

The attack signatures are listed here: http://www.sshguard.net/docs/reference/attack-signatures/

I would bet that you are connecting from an IP that has an invalid reverse DNS configuration (I was). Four connects like that and the default config blocks you for 20 minutes.

Marko Karppinen
  • 256
  • 2
  • 4
  • Sounds spot on. So what did you end up doing to avoid this happening? Add your ip to the whitelist? – Tesla Nov 11 '14 at 06:41
  • Yes, I added my IP to the whitelist as I don't control my cable modem's reverse DNS and so couldn't fix that. Note that adding the (failing-to-resolve) hostname to the whitelist doesn't work: it needs to be the IP address. – Marko Karppinen Nov 11 '14 at 11:40
  • 1
    You can edit sshguard's whitelist at `/etc/sshguard/whitelist`. Its format is documented at [https://www.sshguard.net/docs/whitelist/](https://www.sshguard.net/docs/whitelist/). After making changes, restart sshguard with `sudo service sshguard restart` – The Mighty Chris Feb 22 '18 at 18:06
  • In Ubuntu 18.04 LTS I didn't have to restart sshguard after adding my IP to the whitelist. I connected via a different IP, added the problem IP to the whitelist file, saved, exited and hit go on the other IP's connection and connected instantly. This was well within the 20 minute window. – i-CONICA Jul 11 '18 at 11:09