Results 1 to 21 of 21

Thread: SSH Brute Force

  1. #1
    Join Date
    Oct 2013
    Location
    LA
    Posts
    18

    SSH Brute Force

    I have Netscreen firewall

    everyday there is log about SSH Brute Force.

    i'm kind of worried.

    so is there any open source software for protect brute force on the linux machine.

    thank you.

  2. #2
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,636
    Have you considered CSF/LFD? http://configserver.com/cp/csf.html

    You can configure brute force protection to block IP addresses after x amount of failed login attempts.
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  3. #3
    Join Date
    Apr 2013
    Posts
    63
    Quote Originally Posted by usdedi View Post
    I have Netscreen firewall

    everyday there is log about SSH Brute Force.

    i'm kind of worried.

    so is there any open source software for protect brute force on the linux machine.

    thank you.
    If you are still using port 22 considering changing it. You can also use fail2ban which scans your logs and bans the IPs that are trying to Brute Force your server.
    LeaseWeb - Dedicated, Cloud, CDN, Colo, Hybrid
    In the USA, Germany and the Netherlands
    www.leaseweb.com - sales@leaseweb.com
    Twitter.com/LeaseWeb - Facebook.com/LeaseWeb

  4. #4
    Join Date
    Aug 2013
    Posts
    224
    The best way to do it is to block IP's, as above said.

  5. #5
    Join Date
    May 2012
    Location
    Linux World
    Posts
    1,137
    A software firewall like csf-lfd will be needed, and also change the SSH port to not something common. Still, there will be attempts to get through, they are common.
    Kevin Cheri : Senior Server Administrator / Freelancer : 13+ years Exp, reach me out for any help
    Server Optimization Expert / Mysql Guru / Migration Specialist
    Skype : lynxmaestro
    Gmail : cheri.kevin@gmail.com

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    You can close your SSH port (and any other similar port used for admin purposes) and use port knocking.
    knockd is a small daemon easy to set up.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  7. #7
    Join Date
    May 2013
    Location
    USA
    Posts
    931
    Firewalls with SSH brute force blocking are great, but if you use a strong password and enforce strong passwords on every user who you have granted SSH access then you don't have too much to worry about. Those SSH brute force attacks will only attempt a short list of common passwords, they're not running an actual brute force attack which would involve attempting every possible password in sequential order.
    ▄▀▄ Brian Harrison, Lead Engineer - Reprise Hosting (AS62838)
    ▄▀▄ Deals on cheap dedicated server hosting. IPMI included! Unmetered bandwidth.
    ▄▀▄ Website migration, 24/7/365 support, basic server setup, 15 day money back.
    ▄▀▄ Looking for DEALS on self-managed cheap VPS hosting? Visit VPSHostingDEAL.com

  8. #8
    Join Date
    Oct 2013
    Location
    LA
    Posts
    18

    hard to block

    Quote Originally Posted by Andrew-x View Post
    The best way to do it is to block IP's, as above said.
    there are too many different attack ips.

    so hard to block.

  9. #9
    Join Date
    Oct 2013
    Location
    LA
    Posts
    18

    thank you

    i will install fail2ban and change ssh port

    thank you for all helping me

  10. #10
    You can also restrict your administrative users (root/admin etc) to connect only from certain IP addresses.
    man sshd_config
    man ssh_config

  11. #11
    Join Date
    Jul 2007
    Posts
    2,051
    Quote Originally Posted by usdedi View Post
    I have Netscreen firewall

    everyday there is log about SSH Brute Force.

    i'm kind of worried.

    so is there any open source software for protect brute force on the linux machine.

    thank you.
    Does Netscreen block the Brute Force? If yes, then you don't need to worry as far as it is able to block the attacks. Also, you should consider changing Password Authentication to Public Key authentication and also change the SSH port for more security.
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  12. #12
    there are too many different attack ips.

    so hard to block.
    The best idea is to use a whitelist acl approch instead of blacklisting the attacking IPs. Drop all SSH traffic except for IPs specifically in your whitelist, different attackers will always come if you simply leave the port open.

  13. #13
    The best practice:

    [1] Change default SSH port
    [2] Disable password authentication or at least disable direct root login
    [3] Restring SSH service to your local IP addresses only

  14. #14
    +1 for CSF. highly recommended. This will solve 80% of your servers problems and attacks.

  15. #15
    Join Date
    Feb 2006
    Location
    Global
    Posts
    1,642
    Quote Originally Posted by A1dedicatedservers View Post
    +1 for CSF. highly recommended. This will solve 80% of your servers problems and attacks.
    Agreed.
    My Blackberry inbox is nearly 90% ban logs from our servers, then it's the job of my abuse tech to go through these and report them all. Of course you aren't forced to report but how I see it, it could stop them coming back.

    I do like to read the logs though to see where they're coming from.
    I see lots of China and Russia for sure!

  16. #16
    Join Date
    Jul 2011
    Location
    Sittingbourne, Kent, UK
    Posts
    197
    Quote Originally Posted by Kailash12 View Post
    The best practice:

    [1] Change default SSH port
    [2] Disable password authentication or at least disable direct root login
    [3] Restring SSH service to your local IP addresses only
    This^, every time :-)!
    RackSRV Communications Limited
    UK specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  17. #17
    Join Date
    Aug 2003
    Location
    Dallas, TX USA
    Posts
    2,812
    I would do away with passwords and just use keys.
    You essentially want to make it take ages to brute force your server. Use something like fail2ban to deal with the source IP addresses of such attacks.


  18. #18
    Quote Originally Posted by Kailash12 View Post
    The best practice:

    [1] Change default SSH port
    [2] Disable password authentication or at least disable direct root login
    [3] Restring SSH service to your local IP addresses only
    Also you need to have a strong password not a dictionary or any simple password, Password must be at least 8-12 character with Uppercase, Lowercase, Special Character and Numbers

  19. #19
    You could try generating ssh key's for login.

  20. #20
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    You're complaining about ssh logentries for brute force and you're running your sshd on port 22? That's part of life, it's automated, continual, and will probably only get worse over time. Sounds like Netscreen is doing it's job.

    You can install an additional layer of protection in CSF/LFD (www.configserver.com) as discussed, and you might also look at getting them to harden your server at the same time. Costs a little, but your server will never get hacked.

    However, you should look at changing your ssh port from 22 to something else (large number, eg 44022 etc) which will reduce this confusing log noise. The change doesn't make your server more secure, but it stops the random attacks and who knows, may save you in the future (it did save some people when the libkeyutil hack was out). Sometimes these little layers of security (small changes) can have a good cumulative effect.

  21. #21
    Join Date
    Jan 2001
    Location
    Miami, FL
    Posts
    1,075
    fail2ban is easy to configure and customize for more than just ssh brute.
    Biznesshosting, Inc. DBA VOLICO - Intelligent Hosting Solutions
    East Coast Enterprise Dedicated Servers and Miami Colocation.
    managed and unmanaged dedicated servers. High bandwidth colocation. Managed clusters.

Similar Threads

  1. Replies: 6
    Last Post: 03-28-2013, 06:05 AM
  2. Is It a SSH Brute Force?
    By arda000 in forum Hosting Security and Technology
    Replies: 10
    Last Post: 08-25-2010, 03:16 AM
  3. What is the best way to prevent against Brute Force on ssh?
    By OneBinary in forum Hosting Security and Technology
    Replies: 6
    Last Post: 04-01-2006, 11:20 AM
  4. SSH Brute force attack going around.
    By zinet in forum Dedicated Server
    Replies: 11
    Last Post: 09-20-2004, 06:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •