Block Brute Force SSH Attempts.
If you run a Unix server on the Internet, your server will, eventually, be hit by either a script kiddie or a botnet which will try to guess SSH passwords in order to gain access to your system. Here are a number of resources and methodologies to block frequent brute force SSH attempts on your server(s).
Use IP Tables (Our Preferred Method)
We assume you have basic knowledge of iptables and the unix command line. If you don’t, be careful as you can easily lock yourself out of your own server!
Option #1 Use IP Tables to only allow SSH access from known static subnets/hosts. If you want access to your server from a dynamic IP address, for example your hotel room or your cell phone internet connection, this is not a option. You can also block IP addresses from various countries that perhaps you’re experiencing a problem with. A country IP address database is available at http://www.ipdeny.com/ipblocks/
Option #2 Dynamically ban using IP tables. The idea here is to set a rate of failures, and if that rate is exceeded, the IP address is dynamically banned for a period of time.
To create whitelist for known good static IP addresses or IP ranges, just add a line similar to this above the rulesets below line:
iptables -A INPUT -s your.ip.address.here -p tcp -m tcp –dport 22 -m state –state NEW -j ACCEPT
Ruleset Option #1: Create new Chain named “autoban”.
iptables -N autoban
iptables -I INPUT -p tcp –dport 22 -j autoban
iptables -A autoban -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
iptables -A autoban -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 2 –rttl –name SSH -j DROP
iptables -I INPUT -p tcp -i vlan1 –dport 22 -j DROP
iptables -I INPUT -p tcp -i vlan1 –dport 22 -m state –state NEW -m limit –limit 2/min -j ACCEPT
iptables -I INPUT -p tcp -i vlan1 –dport 22 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name SSH –rsource -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 2 –rttl –name SSH –rsource -j LOG –log-prefix “SSH_BAN ”
iptables -A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 2 –rttl –name SSH –rsource -j DROP
To save your IP tables rulesets for use after you restart iptables or reboot, use the command:
iptables-save > /etc/sysconfig/iptables
Change your SSH Listening Port
SSH allows you to change the listening port to a non-standard port (other than port 22). This is not really a good solution, but will make it more difficult for brute force scripts to find your SSH port without doing a portscan first.
To change the listening port, just edit /etc/ssh/sshd_config and look for the line that says:
Uncomment this line, and change the port number to something not currently used by the system. Be sure to restart SSH to reload the configuration.
Turn off SSH Password Authentication
Use SSH certificate-based authentication, and turn off password based authentication. That’ll stop them. This is not a good solution for all cases.
DenyHosts will stop attempts from known problem IP addresses.
Fail2ban can also be used for other services such as FTP, IMAP, POP3, and others.
SSHGuard will watch and parse your log files, then dynamically ban IP addresses based on unsuccessful login attempts. Not only does this utility handle SSH, but it also handles a number of other services including dovecot, proftpd, pure-ftpd, and others.
pam_abl will auto-blacklist hosts and users who try repeatedly to unsuccessfully log in.
Get Really Paranoid
Get out your tin-foil hats… Just because you’re paranoid, doesn’t mean they aren’t really out to get you! Consider installing the Firewall Knock Operator, which will deny any potential intruders before they even connect!
Disable SSH and use Telnet
The script kiddies will never see this one coming!
We’re just kidding. Telnet sends passwords unencrypted and should never be used.