Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Methods to block SSH attacks

[almahdi]

Alot of people are talking about SSH attacks, ways to prevent them.. Well I just thought that posting this would be somehow helpful.

Methods:
1. Allow the IPs you would like to have access to SSH through your firewall.

Code:

Example: 
iptables -A INPUT -i eth0 -s 10.10.10.10 -p tcp --dport 22 -j ACCEPT

2. Change SSH port.

Code:

Example:
Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line:
Port 6445

3. Use a utility like BFD, BlockHosts and DenyHosts
4. Use ip tables to limit the rate of incomming connections to SSH.

Code:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 4 -j DROP

This will limit incoming connections to port 22 to no more than 3 attemps in a minute. Any more will be dropped.

You can adjust the numbers yourself to limit connections further.

5. Use Port knocking to open a the port for the firewall.

Quote:

Example using iptables:

# Netfilter/IPtables - example of multiple-port knocking
# Note: Knock ports 100,200,300,400 to open SSH port for 5 seconds.
# Nice thing to knock TCP with is `telnet' program:
# $> alias k='telnet ip_address_or_hostname'
# $> k 100 ; k 200 ; k 300 ; k 400 ; ssh ip_address_or_hostname
# Then press Ctrl-C 4 times. That's all. Enjoy.

HOST_IP="12.34.56.78"

/sbin/iptables -N INTO-PHASE2
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE2 --set
/sbin/iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "

/sbin/iptables -N INTO-PHASE3
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE3 --set
/sbin/iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "

/sbin/iptables -N INTO-PHASE4
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE4 --set
/sbin/iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "

/sbin/iptables -A INPUT -m recent --update --name PHASE1

/sbin/iptables -A INPUT -p tcp --dport 100 -m recent --set --name PHASE1
/sbin/iptables -A INPUT -p tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
/sbin/iptables -A INPUT -p tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
/sbin/iptables -A INPUT -p tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4

/sbin/iptables -A INPUT -p tcp -s $HOST_IP --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT


This script can be found @ http://pub.ligatura.org/fs/netfilter...ortknock_multi

[layer0]

Great post, I'm sure it'll help people out!

[trx123]

nice thx , im sure this will help me

[Neo7]

Thanks thats really good post

[Avril Cloud]

What about DOS attacks? many hosts are still vulnerable to them, how do you know if you are safe?

[kalpin]

There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.

[agent420]

Helpful Article, thanks kalpin.

[almahdi]

Quote:

Originally Posted by kalpin

There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.

I agree with you. Also traffic shaping is one of the solutions for DOS attacks.

[de_rader]

If I used iptables to drop ssh attempts, is there a log of those drops? I want to check that it's working. Also, if attempts are dropped, are they still logged and therefore checkable with lastb?

Thanks!

Joe R.

[shad4linux]

The ssh logs normally get logged in /var/log/messages or in /var/log/secure. I think you better check these files for logs.

[de_rader]

Ok, yeah I'm seeing a lot of authentication failure logs which is good. Thanks for the tip, I hadn't thought of it. It'd be nice to see messages about drops done by iptables. Perhaps iptables doesn't log these by default? Or maybe just need to find some third party software to do this for me.

[AboveSecure]

Great post!

[almahdi]

You can use logwatch and see that maximum failed logins from each IP is the number you have set. I suggest using higher time than 60 seconds.. something like 20 minutes (1200 seconds).

[Xous]

Quote:

Originally Posted by kalpin

There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.

While I agree it's a good idea to blog some types of ICMP packets it is also very useful to allow certain types of ICMP requests such as ICMP echo request/reply and all of the Destination unreachable replies.

While setting up a dedicated firewall will prevent your server being heavily loaded by D/DoS your server will still appear unresponsive to the outside world if the D/DoS exceeds the amount of traffic the device is rated for. It will also be useless if the D/DoS exceeds the bandwidth of your up-link.

[HostingWebAsia]

Changing post is easiest and the best. That's what i do first.