Welcome, Guest! Registration

loc2log

Thursday, 2019-02-21
Main » 2017 » January » 30 » How to fight ssh brute force attack
1:17 AM
How to fight ssh brute force attack

When I entered one of my server instances on DigitalOcean via ssh I was shocked to discover there were almost half-million unsuccessful login attempts. That was definitely a cracking attempt going on. And I must confess my setup was not the strongest. So here are the remedy options:

  1. Just in case: Make sure you have non-ssh way of accessing your server console. DigitalOcean provides its own console to each Droplet. To get there: Click on your Droplet, Access, - big green button "Launch Console". Once you get to your box via non-ssh console (aka VNC), you are free to experiment because you do not depend on the ssh as your only life-line anymore.

    Now, from the VNC terminal, logged in as root, you may stop the sshd - an attacker won't be able to brute force a service which is not running.
    sudo service sshd stop - DO NOT DO THIS COMMAND UNLESS YOU HAVE NON-SSH ACCESS.

  2. If you've got an attack on a particular user name, then disable password access for that user, make it auth-key only, and limit number of access attempts.

    Better yet, create a new user instead, with less trivial name for the future access, so it has less chance of being in attacker's dictionary.

    Edit sshd config as necessary /etc/ssh/sshd_config

  3. To slow them down you may also throttle auth requests in the firewall, e.g. iptables.

    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -N SSHATTACK
    -A SSHATTACK -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --dport 80 --state NEW -m tcp -j ACCEPT
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --set
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

Useful links:

  • http://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts
  • http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18
Views: 407 | Added by: ep | Tags: firewall, Security, ssh, Linux, Iptables | Rating: 0.0/0
Total comments: 0
Only registered users can add comments.
[ Registration | Login ]