hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting Talk Tutorials : Hosting Security and Technology Tutorials : Methods to block SSH attacks
Reply

Forum Jump

Methods to block SSH attacks

Reply Post New Thread In Hosting Security and Technology Tutorials Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 10-29-2005, 02:12 PM
almahdi almahdi is offline
Aspiring Evangelist
 
Join Date: May 2004
Posts: 394
Lightbulb

Methods to block SSH attacks


Alot of people are talking about SSH attacks, ways to prevent them.. Well I just thought that posting this would be somehow helpful.

Methods:
1. Allow the IPs you would like to have access to SSH through your firewall.
Code:
Example: 
iptables -A INPUT -i eth0 -s 10.10.10.10 -p tcp --dport 22 -j ACCEPT
2. Change SSH port.
Code:
Example:
Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line:
Port 6445
3. Use a utility like BFD, BlockHosts and DenyHosts
4. Use ip tables to limit the rate of incomming connections to SSH.
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 4 -j DROP

This will limit incoming connections to port 22 to no more than 3 attemps in a minute. Any more will be dropped.

You can adjust the numbers yourself to limit connections further.
5. Use Port knocking to open a the port for the firewall.
Quote:
Example using iptables:

# Netfilter/IPtables - example of multiple-port knocking
# Note: Knock ports 100,200,300,400 to open SSH port for 5 seconds.
# Nice thing to knock TCP with is `telnet' program:
# $> alias k='telnet ip_address_or_hostname'
# $> k 100 ; k 200 ; k 300 ; k 400 ; ssh ip_address_or_hostname
# Then press Ctrl-C 4 times. That's all. Enjoy.

HOST_IP="12.34.56.78"

/sbin/iptables -N INTO-PHASE2
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove
/sbin/iptables -A INTO-PHASE2 -m recent --name PHASE2 --set
/sbin/iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "

/sbin/iptables -N INTO-PHASE3
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove
/sbin/iptables -A INTO-PHASE3 -m recent --name PHASE3 --set
/sbin/iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "

/sbin/iptables -N INTO-PHASE4
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove
/sbin/iptables -A INTO-PHASE4 -m recent --name PHASE4 --set
/sbin/iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "

/sbin/iptables -A INPUT -m recent --update --name PHASE1

/sbin/iptables -A INPUT -p tcp --dport 100 -m recent --set --name PHASE1
/sbin/iptables -A INPUT -p tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
/sbin/iptables -A INPUT -p tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
/sbin/iptables -A INPUT -p tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4

/sbin/iptables -A INPUT -p tcp -s $HOST_IP --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT


This script can be found @ http://pub.ligatura.org/fs/netfilter...ortknock_multi



Sponsored Links
  #2  
Old 10-29-2005, 02:27 PM
layer0 layer0 is offline
Performance Specialist
 
Join Date: Dec 2004
Location: New York, NY
Posts: 10,505
Great post, I'm sure it'll help people out!

__________________
MediaLayer, LLC - www.medialayer.com Lightning fast web hosting since 2005.
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage
Learn how we can make your website load faster, translating to better conversion rates for your business!

  #3  
Old 11-04-2005, 11:13 AM
trx123 trx123 is offline
Newbie
 
Join Date: Aug 2005
Posts: 8
nice thx , im sure this will help me

Sponsored Links
  #4  
Old 11-11-2005, 05:35 PM
Neo7 Neo7 is offline
Newbie
 
Join Date: Jul 2005
Posts: 18
Thanks thats really good post

  #5  
Old 11-12-2005, 08:42 PM
Avril Cloud Avril Cloud is offline
New Member
 
Join Date: Nov 2005
Posts: 3
hi

What about DOS attacks? many hosts are still vulnerable to them, how do you know if you are safe?

  #6  
Old 11-14-2005, 01:37 AM
kalpin kalpin is offline
Junior Guru Wannabe
 
Join Date: Jan 2005
Location: Jakarta, Indonesia
Posts: 86
Lightbulb

There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.

  #7  
Old 11-14-2005, 03:01 AM
agent420 agent420 is offline
Disabled
 
Join Date: Oct 2005
Location: Canada
Posts: 33
Helpful Article, thanks kalpin.

  #8  
Old 11-14-2005, 11:43 AM
almahdi almahdi is offline
Aspiring Evangelist
 
Join Date: May 2004
Posts: 394
Quote:
Originally Posted by kalpin
There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.
I agree with you. Also traffic shaping is one of the solutions for DOS attacks.

  #9  
Old 05-28-2008, 12:36 AM
de_rader de_rader is offline
New Member
 
Join Date: May 2008
Posts: 0
If I used iptables to drop ssh attempts, is there a log of those drops? I want to check that it's working. Also, if attempts are dropped, are they still logged and therefore checkable with lastb?

Thanks!

Joe R.

  #10  
Old 05-28-2008, 01:51 AM
shad4linux shad4linux is offline
Newbie
 
Join Date: May 2008
Posts: 6
The ssh logs normally get logged in /var/log/messages or in /var/log/secure. I think you better check these files for logs.

  #11  
Old 05-28-2008, 02:38 AM
de_rader de_rader is offline
New Member
 
Join Date: May 2008
Posts: 0
Ok, yeah I'm seeing a lot of authentication failure logs which is good. Thanks for the tip, I hadn't thought of it. It'd be nice to see messages about drops done by iptables. Perhaps iptables doesn't log these by default? Or maybe just need to find some third party software to do this for me.

  #12  
Old 06-01-2008, 01:01 PM
AboveSecure AboveSecure is offline
Newbie
 
Join Date: Jun 2008
Location: /root
Posts: 15
Great post!

  #13  
Old 06-01-2008, 02:31 PM
almahdi almahdi is offline
Aspiring Evangelist
 
Join Date: May 2004
Posts: 394
You can use logwatch and see that maximum failed logins from each IP is the number you have set. I suggest using higher time than 60 seconds.. something like 20 minutes (1200 seconds).

  #14  
Old 06-03-2008, 11:32 PM
Xous Xous is offline
Aspiring Evangelist
 
Join Date: Jun 2003
Posts: 364
Quote:
Originally Posted by kalpin View Post
There are a number of ways you can protect your network from DOS attack (not 100%).

1. Filter ICMP and UDP to your network or your server. You can ask your uplink provider to filter this packet in their border routers. This will prevent almost smurf and fragmented attacks.

2. Put a hardware firewall, acting like proxy which only passing on completed packets. This will protect you from malicious TCP Traffic like SYN|ACK flooding.

3. Filter out bad ip sources and put some policy to rate connections from specific hosts.

I wish this could help you.
While I agree it's a good idea to blog some types of ICMP packets it is also very useful to allow certain types of ICMP requests such as ICMP echo request/reply and all of the Destination unreachable replies.

While setting up a dedicated firewall will prevent your server being heavily loaded by D/DoS your server will still appear unresponsive to the outside world if the D/DoS exceeds the amount of traffic the device is rated for. It will also be useless if the D/DoS exceeds the bandwidth of your up-link.

  #15  
Old 07-09-2008, 03:36 AM
HostingWebAsia HostingWebAsia is offline
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 66
Changing post is easiest and the best. That's what i do first.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Attackers Targeting On-Premise IT are Shifting Focus to Cloud Hosting Providers: Alert Logic Report Web Hosting News 2014-04-30 18:21:53
‘Black Hole’ Effect Leads to Fewer Attacks on FireHost Web Hosting News 2014-08-08 16:03:36
Mobile Apps Being Used in DDoS Attacks: Prolexic Report Web Hosting News 2014-01-14 15:49:57
Web & PHP Conference 2013 Web Hosting Events 2013-09-17 14:48:22
Web Application Attacks Common in Cloud Hosting Environments: Report Web Hosting News 2013-03-26 10:48:47


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?