Linux-Noob Forums
SSHD brute force protection - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html)
+--- Thread: SSHD brute force protection (/thread-1989.html)



SSHD brute force protection - qstraza - 2006-05-05


hello, once again me, i have alot of security problems as u see:P

 

this time i would like to know which stuff is the best against brute force on sshd. I found some scripts that adds ip to iptables... but im not sure which one to use... or is there any other way? its is not that i dont like that, its is cool but i would like u to tell your opinion on this one...

 

cu;)




SSHD brute force protection - tek-69 - 2006-05-06

Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.



SSHD brute force protection - anyweb - 2006-05-06


this this ssh rate limiter

 

[/url][url=<___base_url___>/index.php?showtopic=1829][/url][url=<___base_url___>/index.php?showtopic=1829]https://www.linux-noob.com/forums/index.php?showtopic=1829

 

cheers

anyweb




SSHD brute force protection - xDamox - 2006-05-06


Hi,

 

Have a look at pam_abl [/url][url=http://www.hexten.net/pam_abl/]http://www.hexten.net/pam_abl/ I was going to do a tutorial on it

but its pretty straight forward




SSHD brute force protection - qstraza - 2006-05-06

im looking at /var/log/messages last few days more often and i cannot belive my eyes. Im getting brute forced 5 hours at night from one hosts. But hosts are changing... tek-69, i blocked 10 hosts in 2 days... its pritty hard to follow this hosts and block them as they do that... so lame, so truckin lame [img]<___base_url___>/uploads/emoticons/default_mad.gif[/img]



SSHD brute force protection - anyweb - 2006-05-06


in addition to limiting the number of ssh attempts allowed per minute

 

see [/url][url=<___base_url___>/index.php?showtopic=1829][/url][url=<___base_url___>/index.php?showtopic=1829]https://www.linux-noob.com/forums/index.php?showtopic=1829 and also [/url][url=<___base_url___>/index.php?showtopic=1378][/url][url=<___base_url___>/index.php?showtopic=1378]https://www.linux-noob.com/forums/index.php?showtopic=1378

 

deny root access to logging in via ssh > [/url][url=<___base_url___>/index.php?showtopic=1013][/url][url=<___base_url___>/index.php?showtopic=1013]https://www.linux-noob.com/forums/index.php?showtopic=1013

 

change the ssh port from default 22 to something else > [/url][url=<___base_url___>/index.php?showtopic=646][/url][url=<___base_url___>/index.php?showtopic=646]https://www.linux-noob.com/forums/index.php?showtopic=646

 

and decide what users are allowed and denied via the sshd_config file >

 



Code:
# Authentication:
AllowUsers qstraza
DenyUsers www, oracle, daemon, ftpd, spamd, test, guest, admin, patrick, rolo, iceuser, horde, cyrus, wwwrun, matt, jane, pamela, cosmin, cpi52, cpi51, noc, webmaster, user




 

 

that should be a good start (remember to restart the sshd service after making changes to that file

 

cheers

 

anyweb




SSHD brute force protection - qstraza - 2006-05-06


thx anyweb... i dont have root allowed to login for few years now... and i have only 4 users on the server. Those who are bruteforcing me never tries the correct user this far... just same strange names (which are in the bruteforce username_file or sth).

 

I will realy change sshd port, i cant see any other solution at this point.

 

oh anyweb your iptables rules rules :P

i tried that rule from FluKex but i dont see the results.

 

root@black:~# ssh faf@my_ip

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied (publickey,password,keyboard-interactive).

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~#

 

this is after adding this rule in to the iptables:



Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset




 

but before i tried this code:



Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset




 

what did i missed on the second code?




SSHD brute force protection - xDamox - 2006-05-06

Did you look at pam_abl?



SSHD brute force protection - qstraza - 2006-05-06


xDamox i did but i dont like this part:

 



Code:
Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.




 

When bruteforce is executed on my host it will still take my bandwidth right?

When i check logs and look at users who was attempted, im sure that they wont figure the real user not even the password. But i getting laged upon bruteforce, its like a dos for me, cuz i have low upload. So i need something to drop connection, not to just esure that they cant login.

 

cu




SSHD brute force protection - znx - 2006-05-06


Quote:Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.
 

 

The BEST solution .. is to completely reject ALL password logins.. Only accept Pkey !

 

[/url][url=<___base_url___>/index.php?showtopic=1696][/url][url=<___base_url___>/index.php?showtopic=1696]https://www.linux-noob.com/forums/index.php?showtopic=1696 :)