Results 1 to 21 of 21
Thread: SSH Brute Force
-
10-10-2013, 05:30 AM #1Newbie
- Join Date
- Oct 2013
- Location
- LA
- Posts
- 18
SSH Brute Force
I have Netscreen firewall
everyday there is log about SSH Brute Force.
i'm kind of worried.
so is there any open source software for protect brute force on the linux machine.
thank you.
-
10-10-2013, 05:34 AM #2
Have you considered CSF/LFD? http://configserver.com/cp/csf.html
You can configure brute force protection to block IP addresses after x amount of failed login attempts.~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
~]# Try out our WordPress speed tests for yourself!
~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
~]# Don't settle for any less than the very best - come & join our family today!
-
10-10-2013, 05:48 AM #3Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 63
LeaseWeb - Dedicated, Cloud, CDN, Colo, Hybrid
In the USA, Germany and the Netherlands
www.leaseweb.com - sales@leaseweb.com
Twitter.com/LeaseWeb - Facebook.com/LeaseWeb
-
10-10-2013, 05:55 AM #4Temporarily Suspended
- Join Date
- Aug 2013
- Posts
- 224
The best way to do it is to block IP's, as above said.
-
10-10-2013, 06:03 AM #5Web Hosting Master
- Join Date
- May 2012
- Location
- Linux World
- Posts
- 1,137
A software firewall like csf-lfd will be needed, and also change the SSH port to not something common. Still, there will be attempts to get through, they are common.
Kevin Cheri : Senior Server Administrator / Freelancer : 13+ years Exp, reach me out for any help
Server Optimization Expert / Mysql Guru / Migration Specialist
Skype : lynxmaestro
Gmail : cheri.kevin@gmail.com
-
10-10-2013, 12:46 PM #6Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
You can close your SSH port (and any other similar port used for admin purposes) and use port knocking.
knockd is a small daemon easy to set up.NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
10-10-2013, 12:55 PM #7Web Hosting Master
- Join Date
- May 2013
- Location
- USA
- Posts
- 931
Firewalls with SSH brute force blocking are great, but if you use a strong password and enforce strong passwords on every user who you have granted SSH access then you don't have too much to worry about. Those SSH brute force attacks will only attempt a short list of common passwords, they're not running an actual brute force attack which would involve attempting every possible password in sequential order.
▄▀▄ Brian Harrison, Lead Engineer - Reprise Hosting (AS62838)
▄▀▄ Deals on cheap dedicated server hosting. IPMI included! Unmetered bandwidth.
▄▀▄ Website migration, 24/7/365 support, basic server setup, 15 day money back.
▄▀▄ Looking for DEALS on self-managed cheap VPS hosting? Visit VPSHostingDEAL.com
-
10-10-2013, 07:43 PM #8Newbie
- Join Date
- Oct 2013
- Location
- LA
- Posts
- 18
-
10-10-2013, 07:46 PM #9Newbie
- Join Date
- Oct 2013
- Location
- LA
- Posts
- 18
thank you
i will install fail2ban and change ssh port
thank you for all helping me
-
10-11-2013, 03:06 AM #10Disabled
- Join Date
- Mar 2007
- Posts
- 365
You can also restrict your administrative users (root/admin etc) to connect only from certain IP addresses.
man sshd_config
man ssh_config
-
10-15-2013, 02:26 AM #11Eternal Learner
- Join Date
- Jul 2007
- Posts
- 2,051
Prashant T.
Don't run after Success. Run after Excellence and Success will soon follow.
-
10-15-2013, 08:52 AM #12Newbie
- Join Date
- Oct 2013
- Location
- Indiana
- Posts
- 6
there are too many different attack ips.
so hard to block.
-
10-16-2013, 01:48 AM #13Web Hosting Master
- Join Date
- Jan 2008
- Posts
- 1,204
The best practice:
[1] Change default SSH port
[2] Disable password authentication or at least disable direct root login
[3] Restring SSH service to your local IP addresses only
-
10-16-2013, 07:07 PM #14Junior Guru Wannabe
- Join Date
- Aug 2013
- Posts
- 37
+1 for CSF. highly recommended. This will solve 80% of your servers problems and attacks.
-
10-16-2013, 07:18 PM #15Disabled
- Join Date
- Feb 2006
- Location
- Global
- Posts
- 1,642
Agreed.
My Blackberry inbox is nearly 90% ban logs from our servers, then it's the job of my abuse tech to go through these and report them all. Of course you aren't forced to report but how I see it, it could stop them coming back.
I do like to read the logs though to see where they're coming from.
I see lots of China and Russia for sure!
-
10-17-2013, 08:28 AM #16Junior Guru
- Join Date
- Jul 2011
- Location
- Sittingbourne, Kent, UK
- Posts
- 197
RackSRV Communications Limited
UK specialists in Dedicated Servers & Server Colocation
Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444
-
10-17-2013, 11:25 PM #17Web Hosting Master
- Join Date
- Aug 2003
- Location
- Dallas, TX USA
- Posts
- 2,812
I would do away with passwords and just use keys.
You essentially want to make it take ages to brute force your server. Use something like fail2ban to deal with the source IP addresses of such attacks.
-
10-18-2013, 09:52 AM #18Newbie
- Join Date
- Oct 2013
- Location
- India
- Posts
- 20
-
10-18-2013, 07:56 PM #19WHT Addict
- Join Date
- Oct 2013
- Posts
- 174
You could try generating ssh key's for login.
-
10-18-2013, 10:37 PM #20Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
You're complaining about ssh logentries for brute force and you're running your sshd on port 22? That's part of life, it's automated, continual, and will probably only get worse over time. Sounds like Netscreen is doing it's job.
You can install an additional layer of protection in CSF/LFD (www.configserver.com) as discussed, and you might also look at getting them to harden your server at the same time. Costs a little, but your server will never get hacked.
However, you should look at changing your ssh port from 22 to something else (large number, eg 44022 etc) which will reduce this confusing log noise. The change doesn't make your server more secure, but it stops the random attacks and who knows, may save you in the future (it did save some people when the libkeyutil hack was out). Sometimes these little layers of security (small changes) can have a good cumulative effect.
-
10-19-2013, 01:54 AM #21Web Hosting Master
- Join Date
- Jan 2001
- Location
- Miami, FL
- Posts
- 1,075
fail2ban is easy to configure and customize for more than just ssh brute.
Biznesshosting, Inc. DBA VOLICO - Intelligent Hosting Solutions
East Coast Enterprise Dedicated Servers and Miami Colocation.
managed and unmanaged dedicated servers. High bandwidth colocation. Managed clusters.
Similar Threads
-
openssh-server/client clean install after brute force - remove SSH using SSH?
By Joe90k in forum Dedicated ServerReplies: 6Last Post: 03-28-2013, 06:05 AM -
Is It a SSH Brute Force?
By arda000 in forum Hosting Security and TechnologyReplies: 10Last Post: 08-25-2010, 03:16 AM -
What is the best way to prevent against Brute Force on ssh?
By OneBinary in forum Hosting Security and TechnologyReplies: 6Last Post: 04-01-2006, 11:20 AM -
SSH Brute force attack going around.
By zinet in forum Dedicated ServerReplies: 11Last Post: 09-20-2004, 06:44 PM