Block Brute Force SSH Attempts

If you run a Unix server on the Internet, your server will, eventually, be hit by either a script kiddie or a botnet which will try to guess SSH passwords in order to gain access to your system. Here are a number of resources and methodologies to block frequent brute force SSH attempts on your server(s).

Use IP Tables (Our Preferred Method)

We assume you have basic knowledge of iptables and the unix command line. If you don’t, be careful as you can easily lock yourself out of your own server!

Option #1 — Use IP Tables to only allow SSH access from known static subnets/hosts. If you want access to your server from a dynamic IP address (for example your hotel room or cell phone connection), this is not an option. You can also block IP addresses from various countries using the country IP address database at http://www.ipdeny.com/ipblocks/

Option #2 — Dynamically ban using IP tables. Set a rate of failures, and if that rate is exceeded, the IP address is dynamically banned for a period of time. To whitelist known good static IP addresses or IP ranges, add a line similar to this above the rulesets below:

iptables -A INPUT -s your.ip.address.here -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

Ruleset Option #1: Create new Chain named “autoban”.

iptables -N autoban

iptables -I INPUT -p tcp --dport 22 -j autoban

iptables -A autoban -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A autoban -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP

Ruleset Option #2:

iptables -I INPUT -p tcp -i vlan1 --dport 22 -j DROP

iptables -I INPUT -p tcp -i vlan1 --dport 22 -m state --state NEW -m limit --limit 2/min -j ACCEPT

iptables -I INPUT -p tcp -i vlan1 --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT

Ruleset Option #3:

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_BAN "

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP

To save your IP tables rulesets for use after you restart iptables or reboot, use the command:

iptables-save > /etc/sysconfig/iptables

Change your SSH Listening Port

SSH allows you to change the listening port to a non-standard port (other than port 22). This is not really a good solution, but will make it more difficult for brute force scripts to find your SSH port without doing a port scan first.

To change the listening port, edit /etc/ssh/sshd_config and look for the line that says #Port 22. Uncomment it and change the port number to something not currently used by the system. Be sure to restart SSH to reload the configuration.

Turn off SSH Password Authentication

Use SSH certificate-based authentication, and turn off password based authentication. That’ll stop them. This is not a good solution for all cases.

Install DenyHosts

DenyHosts will stop attempts from known problem IP addresses. Homepage: http://denyhosts.sourceforge.net/

Install fail2ban

Fail2ban can also be used for other services such as FTP, IMAP, POP3, and others. Homepage: http://www.fail2ban.org/wiki/index.php/Main_Page

Install SSHGuard

SSHGuard will watch and parse your log files, then dynamically ban IP addresses based on unsuccessful login attempts. Not only does this utility handle SSH, but it also handles a number of other services including dovecot, proftpd, pure-ftpd, and others. Homepage: http://www.sshguard.net/

Use pam_abl

pam_abl will auto-blacklist hosts and users who try repeatedly to unsuccessfully log in. Homepage: http://www.hexten.net/wiki/index.php/Pam_abl

Get Really Paranoid

Get out your tin-foil hats… Just because you’re paranoid, doesn’t mean they aren’t really out to get you! Consider installing the Firewall Knock Operator, which will deny any potential intruders before they even connect! Homepage: http://cipherdyne.org/fwknop/

Disable SSH and use Telnet

The script kiddies will never see this one coming! We’re just kidding. Telnet sends passwords unencrypted and should never be used.