Results 1 to 25 of 38
Thread: Methods to block SSH attacks
-
10-29-2005, 02:12 PM #1Aspiring Evangelist
- Join Date
- May 2004
- Posts
- 398
Methods to block SSH attacks
Alot of people are talking about SSH attacks, ways to prevent them.. Well I just thought that posting this would be somehow helpful.
Methods:
1. Allow the IPs you would like to have access to SSH through your firewall.
Code:Example: iptables -A INPUT -i eth0 -s 10.10.10.10 -p tcp --dport 22 -j ACCEPT
Code:Example: Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line: Port 6445
4. Use ip tables to limit the rate of incomming connections to SSH.
Code:iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP This will limit incoming connections to port 22 to no more than 3 attemps in a minute. Any more will be dropped. You can adjust the numbers yourself to limit connections further.
Example using iptables:
# Netfilter/IPtables - example of multiple-port knocking
# Note: Knock ports 100,200,300,400 to open SSH port for 5 seconds.
# Nice thing to knock TCP with is `telnet' program:
# $> alias k='telnet ip_address_or_hostname'
# $> k 100 ; k 200 ; k 300 ; k 400 ; ssh ip_address_or_hostname
# Then press Ctrl-C 4 times. That's all. Enjoy.
HOST_IP="12.34.56.78"
/sbin/iptables -N INTO-PHASE2
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE2 --set
/sbin/iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "
/sbin/iptables -N INTO-PHASE3
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE3 --set
/sbin/iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "
/sbin/iptables -N INTO-PHASE4
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE4 --set
/sbin/iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "
/sbin/iptables -A INPUT -m recent --update --name PHASE1
/sbin/iptables -A INPUT -p tcp --dport 100 -m recent --set --name PHASE1
/sbin/iptables -A INPUT -p tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
/sbin/iptables -A INPUT -p tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
/sbin/iptables -A INPUT -p tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4
/sbin/iptables -A INPUT -p tcp -s $HOST_IP --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT
This script can be found @ http://pub.ligatura.org/fs/netfilter...ortknock_multi
-
10-29-2005, 02:27 PM #2Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
Great post, I'm sure it'll help people out!
MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
-
11-04-2005, 11:13 AM #3Newbie
- Join Date
- Aug 2005
- Posts
- 10
nice thx , im sure this will help me
-
11-11-2005, 05:35 PM #4Newbie
- Join Date
- Jul 2005
- Posts
- 19
Thanks thats really good post
-
11-12-2005, 08:42 PM #5New Member
- Join Date
- Nov 2005
- Posts
- 4
hi
What about DOS attacks? many hosts are still vulnerable to them, how do you know if you are safe?
-
11-14-2005, 01:37 AM #6Junior Guru Wannabe
- Join Date
- Jan 2005
- Location
- Jakarta, Indonesia
- Posts
- 93
There are a number of ways you can protect your network from DOS attack (not 100%).
1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.
2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.
3. Filter out bad ip sources and put some policy to rate connections from specific hosts.
I wish this could help you.
-
11-14-2005, 03:01 AM #7Disabled
- Join Date
- Oct 2005
- Location
- Canada
- Posts
- 34
Helpful Article, thanks kalpin.
-
11-14-2005, 11:43 AM #8Aspiring Evangelist
- Join Date
- May 2004
- Posts
- 398
Originally Posted by kalpin
-
05-28-2008, 12:36 AM #9New Member
- Join Date
- May 2008
- Posts
- 2
If I used iptables to drop ssh attempts, is there a log of those drops? I want to check that it's working. Also, if attempts are dropped, are they still logged and therefore checkable with lastb?
Thanks!
Joe R.
-
05-28-2008, 01:51 AM #10Newbie
- Join Date
- May 2008
- Posts
- 7
The ssh logs normally get logged in /var/log/messages or in /var/log/secure. I think you better check these files for logs.
-
05-28-2008, 02:38 AM #11New Member
- Join Date
- May 2008
- Posts
- 2
Ok, yeah I'm seeing a lot of authentication failure logs which is good. Thanks for the tip, I hadn't thought of it. It'd be nice to see messages about drops done by iptables. Perhaps iptables doesn't log these by default? Or maybe just need to find some third party software to do this for me.
-
06-01-2008, 01:01 PM #12Newbie
- Join Date
- Jun 2008
- Location
- /root
- Posts
- 16
Great post!
-
06-01-2008, 02:31 PM #13Aspiring Evangelist
- Join Date
- May 2004
- Posts
- 398
You can use logwatch and see that maximum failed logins from each IP is the number you have set. I suggest using higher time than 60 seconds.. something like 20 minutes (1200 seconds).
-
06-03-2008, 11:32 PM #14Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367
While I agree it's a good idea to blog some types of ICMP packets it is also very useful to allow certain types of ICMP requests such as ICMP echo request/reply and all of the Destination unreachable replies.
While setting up a dedicated firewall will prevent your server being heavily loaded by D/DoS your server will still appear unresponsive to the outside world if the D/DoS exceeds the amount of traffic the device is rated for. It will also be useless if the D/DoS exceeds the bandwidth of your up-link.
-
07-09-2008, 03:36 AM #15Junior Guru Wannabe
- Join Date
- Apr 2006
- Posts
- 67
Changing post is easiest and the best. That's what i do first.
-
07-09-2008, 04:00 AM #16Web Hosting Guru
- Join Date
- Jun 2008
- Location
- UK
- Posts
- 266
surely the best way is to set up ssh keys and disable password login completely ?
-
07-09-2008, 04:01 AM #17Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
Question about this:
Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line:
Port 6445
-
07-23-2008, 12:52 PM #18Web Hosting Guru
- Join Date
- Dec 2002
- Location
- USA
- Posts
- 339
-
07-23-2008, 01:08 PM #19Temporarily Suspended
- Join Date
- Apr 2008
- Location
- USA & Germany
- Posts
- 194
Fail2Ban is a nice tool to automatically block IPīs after a number a wrong login attempts. www.fail2ban.org
-
07-23-2008, 01:16 PM #20Newbie
- Join Date
- Jul 2008
- Posts
- 15
Hi,
At times, even public key may be hacked. google it and you will find more info
You might have to use high encryption as a security measure. I agree that most people would prefer to use pulic key. Even with public key, you can ofcourse restrict IPs which can ssh.
Another way to use ssh securely with password authentication is allowing only specific IPs to allow ssh to the server.
Ofcourse, it is good to use a non standard port as well as wheel (su user ) and with very strong passwords for both root and su passwords
-
07-23-2008, 07:17 PM #21Newbie
- Join Date
- Mar 2007
- Posts
- 17
Agreed. Changing port is an easy and quick way to stop SSH attacks and perhaps reduce resource usage. I was getting random brute force attacks on a server around 10 times per second, changing SSH port stopped this completely.
-
07-24-2008, 06:00 AM #22Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
Does anyone know how to set a limit?
A while back I had some guy do a zillion tries.. I'd like to limit it to something more reasonable, like 2... anything beyond that zaps them from the server. (If possible)
-
07-24-2008, 01:59 PM #23WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
Good tutorial
-
03-13-2010, 07:15 AM #24Junior Guru Wannabe
- Join Date
- Apr 2006
- Posts
- 58
I use WHM to block that attack. Visit security area, and config some option. its Good if you use cPanel / WHM
-
04-24-2010, 02:58 AM #25Temporarily Suspended
- Join Date
- Apr 2010
- Posts
- 26
Remember these tips, too:
- Deny root via SSH.
- Deny Empty Passwords via SSH.
- You have 65535 ports to choose from.