Thread: Failed SSH login attempts and how to avoid brute ssh attacks

Hello all,

Please share your tips and howto about avoiding failed login ssh attempt (brute ssh attack) and securing SSH based remote Login system.

This is kind of a group project and I am expecting to everyone share their valuable experience. Please consider following

SSH brute force attacks
SSH dictionary attacks
Buffer overflow attack
Securing shell access via ssh

Step # 1: Change the ssh port
Open config file /etc/ssh/sshd_config

Code:

vi /etc/ssh/sshd_config

Default port is 22 set to something else like 678

Code:

Port 678

Step # 2: Bind ssh to specific IP address
Usually all server comes with 5 or more public IP address. No need to bind to all IP address. Just bind to one IP address.

Code:

ListenAddress 65.1.5.1

Step # 3: Only use SSH protocol 2

Code:

Protocol 2

Step # 4: Do not allow root to login

Code:

PermitRootLogin no

Step # 5: Deny root user login

Code:

DenyUsers root

Step # 6: Setup login banner

Code:

Banner /etc/ssh.go.txt

Save and close file. Create file

Code:

vi /etc/ssh.go.txt

Type message in file

Code:

************************************************************

This is a private server!!! All ssh login attempts are logged and 
monitored by our staff. All unauthorized login attempts will be 
investigated and  repoeted to local authorities.
If you have any login problem please contact helpdesk us at
Phone: 888-555-777 or email us
Email:  support@mycorop.com
******************************************************************

Save and close file. Restart sshd

Code:

/etc/init.d/sshd restart

Now to login always use:

Code:

ssh -p PORT user@IP-address
ssh -p PORT user@your.server.com
ssh -p 678 rocky@65.1.5.1

For scp use -P port option

Code:

scp -P 678 local.txt rocky@65.1.5.1:/home/rocky

How to Disable SSHD password authentication
As suggested by monk you can automate password less logins with ssh client keys instead of password authentication.

Type at your local Linux/UNIX workstation; create a public/private key pair:

Code:

ssh-keygen -t rsa

Just press [Enter] key when promoted for a passphrase. Just hit [Enter] key twice. Now you have ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. Copy ~/.ssh/id_rsa.pub file to your remote ssh server using scp:

First login to remove server over ssh and create .ssh directory:

Code:

ssh -p 678 user@65.1.5.1

Now create .ssh dir and set permission to 0700

Code:

mkdir .ssh && chmod 0700
logout

Now type following at client system (copy file to remote server as authorized_keys2)

Code:

scp -P 678 ~/.ssh/id_rsa.pub user@65.1.5.1:.ssh/authorized_keys2
scp  -P 678 ~/.ssh/id_rsa.pub user@65.1.5.1:/home/user/.ssh/authorized_keys2

Now you can login to remote system w/o password from your local Linux/UNIX workstation.

Code:

ssh -p 678 user@65.1.5.1

On serer open /etc/ssh/sshd_config

Code:

vi /etc/ssh/sshd_config

And disable password authtication

Code:

PasswordAuthentication no

Restart sshd

Code:

/etc/init.d/sshd restart

Rocky I am not good at securing servers but here is the command that will tell you if you are under attack. It will list failed login attempts along with host/ip address:

Code:

grep -i 'authentication failure' /var/log/messages|awk '{ print $13 }' | cut -b7- | sort | uniq -c

O/P

Code:

      10 xxx.vnsl.in
      12 xxx.xxx.yyy.zzz
      56 xxx.xxx.yyy.zzz

Well this can be done by installing the csf firewall found here: http://www.configserver.com/cp/csf.html
It can do all the following:
This suite of scripts provides:

* Straight-forward SPI iptables firewall script
* Daemon process that checks for login authentication failures for:
o courier imap and pop3
o ssh
o non-ssl cpanel / whm / webmail (ssl cpanel/whm login tracking support available in EDGE release)
o pure-pftd
o password protected web pages (htpasswd)
o mod_security failures
* POP3/IMAP login tracking to enforce logins per hour
* SSH login notification
* SU login notification
* Excessive connection blocking
* WHM configuration interface
* WHM iptables report log
* Easy upgrade between versions from within WHM
* Pre-configured to work on a cPanel server with all the standard cPanel ports open
* Auto-configures the SSH port if it's non-standard on installation
* Block traffic on unused server IP addresses - helps reduce the risk to your server
* Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
* Suspicious process reporting - reports potential exploits running on the server
* Excessive cPanel user processes reporting
* Excessive cPanel user process usage reporting and optional termination
* Suspicious file reporting - reports potential exploit files in /tmp and similar directories
* Directory and file watching - reports if a watched directory or a file changes
* Block traffic on the DShield Block List and the Spamhaus DROP List
* Pre-configured settings for Low, Medium or High firewall security
* Works with multiple ethernet devices
* Server Security Check - Performs a basic security and settings check on the server
* Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
* Alert sent if server load average remains high for a specified length of time


To enable the ssh login failure detection do:
LF_SSHD = "1"

y0 can use CSF with lfd as binary say or APF with bfd

B!n@ry, excellent find

This is new to me, generally I use apf or write iptables from scratch for client. BDF is also good.

B!n@ry, excellent find

nixCraft, its not a "find" its installed on our Servers

generally I use apf or write iptables from scratch for client.

Ohhhh, man all from scratch ???? what a head ache

Why not disabling password authentication? This will almost solve all problems.

Code:

PasswordAuthentication no

Originally Posted by B!n@ry

Ohhhh, man all from scratch ???? what a head ache

Sure it is a pain but sometime you have to write everything from scratch. If you are setting up a cluster or complicated networking APF or other scripts are not useful.

And not to mention you can make some good money by providing customized solution

this post rockz

make sure your file permissions on both ~/.ssh/* and server:~/.ssh/* set to 0600. Your private key file id_rsa must be present only on your local Linux/UNIX workstation.

Chk out Top Ten Secure Shell FAQs http://www.oreillynet.com/pub/a/orei...tips_0101.html

Originally Posted by Bin@ry

nixCraft, its not a "find" its installed on our Servers

LOL ... do u have your own box for learning or for business??? I think nixcrat is not using any sort of CP just a guess

Bye

Here is the line from my pf firewall script

Code:

pass inet proto tcp from any to any port 22 keep state (max-src-conn-rate 5 / 60)

My pf limits the connection rate to port 22 to five per minute. You can set to 2 or anything else. It will stop attacker who is trying out attack on ssh server as my firewall blocks incoming request to 5.

For iptables see tutorial written by our friends @ debian-administration.org http://www.debian-administration.org/articles/187

@sweta
I do use CP for clients but personally I don't use any CP. I was not aware of csf firewall script or module. There are tons of such script exists.

@bin@ry
Hehe yes sometime I do write it from scratch

@monk
Buddy don't give us our secrets in public making money is not bad I guess :P