Protect your servers against brute force SSH attacks
I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the number of failed ssh attempts by running the following command:
[root@dev ~]# grep Failed /var/log/secure |grep "Feb 6" |wc -l 451
For instance, my server had 451 ssh attempts to login yesterday (February 6). If you check your secure log file you can surely find dozens, or hundreds of attempts logged like this:
Feb 6 15:21:31 dev unix_chkpwd: password check failed for user (root) Feb 6 15:21:31 dev sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=126.96.36.199 user=root Feb 6 15:21:33 dev sshd: Failed password for root from 188.8.131.52 port 39272 ssh2 Feb 6 15:21:33 dev sshd: Received disconnect from 184.108.40.206: 11: Bye Bye
There are lots of things you can do to protect your infrastructure. For instance, if you want to protect your server using iptables firewalling rules, you can implement geobased iptables rules or you can blacklist ip’s based on the number of failed attempts.
First check if you have iptables installed:
[root@dev ~]# rpm -q iptables iptables-1.4.7-5.1.el6_2.x86_64
If you don’t, you may install it by running yum install iptables or apt-get install iptables. Next, I’ll show how simple is to protect your server based on the number of failed attempts from an IP address (limiting the number of ssh attempts). Take a look at the following rules files I’ve created:
[root@dev ~]# cat /root/iptables-rules *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 --rttl --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -s 0/0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT
The previous file specifies rules to accept SSH connections on port 22, but only allows 5 connections attempts each 10 minutes (600 seconds). It also allows everyone to access port 80 (http). To load these rules to iptables you only have to run the following commands:
[root@dev ~]# iptables-restore < /root/iptables-rules
[root@dev ~]# /etc/init.d/iptables save
With this simple measure your server is much more secure than without it. If you have any questions about iptables, linux, security measures or if you want any security consulting, please feel free to contact me.