Protecting against SSH brute-force attacks

Practically all UNIX-based servers run a SSH server to allow remote administration across the Internet. From time to time, you might notice a large number of failed login attempts. Often, these are brute-force attacks against your SSH server

In this hack, we’ll show you 5 tips to protect machines running SSH daemons from brute-force attacks.

Change the default port
Configure your SSH daemon to listen on a non-standard port. SSH servers have no trouble doing this. Just make sure you configure your firewalls to allow connections to the new port. For instance, to have your SSH daemon to accept connections on port 2222, edit the sshd_config file and modify the value of Port to 2222 and restart the SSH daemon.

This method stops hackers who are just scanning for SSH servers on their default port, but any advance port scanner will reveal the daemon on a non-standard port. Nevertheless, this should reduce dramatically the number of attacks.

Disable Password Authentication
Passwords are easy to break than private-keys. Provide SSH key-based logins to all your users and disable password logins entirely. This will mean that users can only authenticate if they have the correct private key. To disable password authentication, edit sshd_config and change the value of PasswordAuthentication to no.

If you prefer passwords over SSH keys, make sure you use strong passwords for all your users.

Limit Connections
This method limits the number of SYN (connection establishment) packets. The effect of this should be unnoticed by legitimate users, but it will delay an attacker that is making repeated connections. For instance, if you want to limit the connection rate to port 2222 to three per minute:

iptables -A INPUT -p tcp –dport 2222 –syn -m limit –limit 1/m –limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp –dport 2222 –syn -j DROP

Disable Root Access
If you permit root login on your servers, you must disable it. It will still be possible to log in as a non-privileged user and become the super-user.

Deploy Anti-Brute-Force Tools

SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by directly reading the SSH daemon logs and generating firewall rules to block the attack. The blocking firewall policy is defined by a list of block-rules. Download SSHDFilter.

pam_abl - A Pluggable Authentication Module that provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Download pam_abl.

SSHBan - SSHban is simple daemon designed to ban attackers. Instead of scanning SSH logs, SSHBan directly receives data from the logger. Download SSHBan.

IPTables Recent Module - This Linux-kernel module allows you to track seen IP addresses and be able to match against them using some criteria. This module is extremely useful to build up a temporary list of IP addresses that attempt to brute-force your SSH server and drop everything coming from them for a given amount of time. Download IPTables Recent module.

DenyHost - DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server brute-force attacks . It observers login attempts to the SSH server and if it determines a possible brute-force attack, it will add the IP address to /etc/hosts.deny. Download DenyHost.

Brute-Force Detection -BFD is a shell script for parsing application logs and checking for authentication failures and block the IP address using custom firewall rules. Download Brute-Force Detection.

sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server logs, detects repeated failed login attempts and adds the hosts to a black list. Download sshd_sentry.
SSHGuard - Protects networks from brute force attacks against ssh servers. It detects such attacks and blocks the host’s address with a firewall rule. Download SSHGuard.