Welcome, Guest! Registration

loc2log

Thursday, 2024-04-25
Main » 2017 » January » 30
How to fight ssh brute force attack

When I entered one of my server instances on DigitalOcean via ssh I was shocked to discover there were almost half-million unsuccessful login attempts. That was definitely a cracking attempt going on. And I must confess my setup was not the strongest. So here are the remedy options:

  1. Just in case: Make sure you have non-ssh way of accessing your server console. DigitalOcean provides its own console to each Droplet. To get there: Click on your Droplet, Access, - big green button "Launch Console". Once you get to your box via non-ssh console (aka VNC), you are free to experiment because you do not depend on the ssh as your only life-line anymore.

    Now, from the VNC terminal, logged in as root, you may stop the sshd - an attacker won't be able to brute force a service which is not running.
    sudo service sshd stop - DO NOT DO THIS COMMAND UNLESS YOU HAVE NON-SSH ACCESS.

  2. If you've got an attack on a particular user name, then disable password access for that user, make it auth-key only, and limit number of access attempts.

    Better yet, create a new user instead, with less trivial name for the future access, so it has less chance of being in attacker's dictionary.

    Edit sshd config as necessary /etc/ssh/sshd_config

  3. To slow them down you may also throttle auth requests in the firewall, e.g. iptables.

    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -N SSHATTACK
    -A SSHATTACK -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --dport 80 --state NEW -m tcp -j ACCEPT
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --set
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

Useful links:

  • http://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts
  • http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18
Views: 856 | Added by: ep | Date: 2017-01-30 | Comments (0)

Use CentOS distribution iso as yum repository on VMWare
I have CentOS 7.0 iso set used as CD/DVD in VMWare, and wanted to use the image as the source to install rpms to my VMWare instance. It appeared quite easy to do:
  1. Even though the iso is used as the CD/DVD in the virtual machine and is "inserted", you still have to mount on the CentOS:
    sudo mount -t iso9660 /dev/sr0 /mnt
  2. Now create a repo file in /etc/yum.repos.d/. E.g. sudo vi /etc/yum.repos.d/CentOS-Media.repo:
    [CentOS-Media]
name=CentOS-Media
baseurl=file:///mnt/
enabled=1
  3. You may have to clean all the caches to make sure the new repo is hooked up properly:
    sudo yum clean all

    4. That is pretty much it, yum shall be able to pick up your "CD/DVD" iso just as the other repositories.

Views: 934 | Added by: ep | Date: 2017-01-29 | Comments (0)