Find the answer to your Linux question:
Results 1 to 10 of 10
I love ssh. I often use it to update and change my server's website from anywhere. At the same time having the service open constantly is just asking to be ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie rudie_rage's Avatar
    Join Date
    Jun 2007
    Location
    Canada
    Posts
    133

    securing ssh from bruteforce


    I love ssh. I often use it to update and change my server's website from anywhere.

    At the same time having the service open constantly is just asking to be attacked, and It has indeed happened on several occasions. Log files clogged with attempts in short intervals are always there, and I even got rooted once.

    So what kind of options are available? Theoretically, a program that made you wait 5 minutes after 3 failed attempts would suit my needs, but its more work than I want to put into writing myself, and im sure if it isnt already written there are alternative ideas.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    This topic has been discussed many times over. (Try searching the forum.)

    If your primary concern is brute force attacks, then disable password forms of authentication completely.

    Only allow pubkey authentication. (Disable everything else.)

    There are additional steps to take, such as allowing only the subnets that need access via the iptables rules, disallowing root to logon directly, disallowing protocol 2, etc.

    But allowing only pubkey authentication will stop the password brute force attacks.

  3. #3
    Linux Newbie rudie_rage's Avatar
    Join Date
    Jun 2007
    Location
    Canada
    Posts
    133
    Quote Originally Posted by anomie View Post
    This topic has been discussed many times over. (Try searching the forum.)

    If your primary concern is brute force attacks, then disable password forms of authentication completely.

    Only allow pubkey authentication. (Disable everything else.)

    There are additional steps to take, such as allowing only the subnets that need access via the iptables rules, disallowing root to logon directly, disallowing protocol 2, etc.

    But allowing only pubkey authentication will stop the password brute force attacks.
    Thanks for the info.

    ...Sorry, should have searched for it first.
    Living the digital dream....
    Disclaimer: I may be wrong since I was once before.
    Breathe out so I can breathe you in ~~Everlong

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    First thing I would do is change the default port number if possible. Scripts are generally written to scan/attack port 22. If you change to a higher up port you'll fare better. I haven't had a single brute force or login attempt since I switched from 22.

  6. #5
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    If you only log in from a few IP addresses, add them to your hosts.allow, and put "ALL" in hosts.deny. When I did this, the number of attacks I saw plummetted, primarily because IP addresses from outside the range I specified don't even get asked for a username -- sshd just drops them unceremoniously!

    If you don't like this idea, I've seen a program that adds IP addresses to your hosts.deny if they hit you too many times inside a certain amount of time.

    Welcome to DenyHosts
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  7. #6
    Linux Newbie rudie_rage's Avatar
    Join Date
    Jun 2007
    Location
    Canada
    Posts
    133
    Quote Originally Posted by bigtomrodney View Post
    First thing I would do is change the default port number if possible. Scripts are generally written to scan/attack port 22. If you change to a higher up port you'll fare better. I haven't had a single brute force or login attempt since I switched from 22.
    lol, I was told this once before, and I didnt think It would do a thing at all :P
    But I must be wrong, if so many people swear by that method. I just figured if anyone was so determined to get in they could easily nmap it and just change the port number to attack. Then again like you say that would involve an actual person getting involved. It would weed out running bots quite well, which is probably the most common attacker.

    Oh, and thanks for the link smolly. I'll look into it. The problem with where I live is that there are only two ISP's, and the bigger of the two changes user's IP address every few days. But something that generates a blacklist as needed would be great.
    Living the digital dream....
    Disclaimer: I may be wrong since I was once before.
    Breathe out so I can breathe you in ~~Everlong

  8. #7
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    As far as I know, denyhosts can be configured to add IPs to a list for a set period of time, so you could set it up to deny IP addresses for a week at a time.

    Since I only ever log in from particular IP addresses, it's easier for me to deny everyone *except* those addresses, but it sounds like this might not work for you.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  9. #8
    Linux Engineer Thrillhouse's Avatar
    Join Date
    Jun 2006
    Location
    Arlington, VA, USA
    Posts
    1,377
    You may want to look into Port Knocking. There's a good article/how-to about it here.

  10. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    OP:

    I apologize -- in reading this thread again, I realize I misspoke badly.

    disallowing protocol 2, etc.
    NO. I meant to say "allow only protocol 2". Ssh protocol 1 suffers from known exploits. I don't understand why lots of GNU/Linux distros still leave it enabled be default.

    There are lots of tips on this thread to lock things down. But I really have to insist that allowing only pubkey authentication is a straightforward and thorough fix for your specific problem. The additional layers certainly will not hurt, but that change cuts to the meat of it.

  11. #10
    Just Joined! parabuzzle's Avatar
    Join Date
    Jun 2007
    Location
    Oakland, CA
    Posts
    11
    I run a lot of servers and I have switched to the pubkey method but b4 I was using that I used a nice script called Brute Force Detection with APF (Advanced Policy Firewall)

    The HOW TO for APF and BFD are located here:

    Install BFD (Brute Force Detection)

    Make sure you follow all the README files and the instructions on the site so you don't lock yourself out

    -Mike

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •