Jump to content
qstraza

SSHD brute force protection

Recommended Posts

hello, once again me, i have alot of security problems as u see:P

 

this time i would like to know which stuff is the best against brute force on sshd. I found some scripts that adds ip to iptables... but im not sure which one to use... or is there any other way? its is not that i dont like that, its is cool but i would like u to tell your opinion on this one...

 

cu;)

Share this post


Link to post
Share on other sites

Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.

Share this post


Link to post
Share on other sites

im looking at /var/log/messages last few days more often and i cannot belive my eyes. Im getting brute forced 5 hours at night from one hosts. But hosts are changing... tek-69, i blocked 10 hosts in 2 days... its pritty hard to follow this hosts and block them as they do that... so lame, so truckin lame :angry:

Share this post


Link to post
Share on other sites

in addition to limiting the number of ssh attempts allowed per minute

 

see https://www.linux-noob.com/forums/index.php?showtopic=1829 and also https://www.linux-noob.com/forums/index.php?showtopic=1378

 

deny root access to logging in via ssh > https://www.linux-noob.com/forums/index.php?showtopic=1013

 

change the ssh port from default 22 to something else > https://www.linux-noob.com/forums/index.php?showtopic=646

 

and decide what users are allowed and denied via the sshd_config file >

 

# Authentication:
AllowUsers qstraza
DenyUsers www, oracle, daemon, ftpd, spamd, test, guest, admin, patrick, rolo, iceuser, horde, cyrus, wwwrun, matt, jane, pamela, cosmin, cpi52, cpi51, noc, webmaster, user

 

 

that should be a good start (remember to restart the sshd service after making changes to that file

 

cheers

 

anyweb

Share this post


Link to post
Share on other sites

thx anyweb... i dont have root allowed to login for few years now... and i have only 4 users on the server. Those who are bruteforcing me never tries the correct user this far... just same strange names (which are in the bruteforce username_file or sth).

 

I will realy change sshd port, i cant see any other solution at this point.

 

oh anyweb your iptables rules rules :P

i tried that rule from FluKex but i dont see the results.

 

root@black:~# ssh faf@my_ip

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied (publickey,password,keyboard-interactive).

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~#

 

this is after adding this rule in to the iptables:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

 

but before i tried this code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

 

what did i missed on the second code?

Share this post


Link to post
Share on other sites

xDamox i did but i dont like this part:

 

Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.

 

When bruteforce is executed on my host it will still take my bandwidth right?

When i check logs and look at users who was attempted, im sure that they wont figure the real user not even the password. But i getting laged upon bruteforce, its like a dos for me, cuz i have low upload. So i need something to drop connection, not to just esure that they cant login.

 

cu

Share this post


Link to post
Share on other sites
Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.

 

 

The BEST solution .. is to completely reject ALL password logins.. Only accept Pkey !

 

https://www.linux-noob.com/forums/index.php?showtopic=1696 :D

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...