Protect your servers against brute force SSH attacks

February 8, 2013  |  linux, security

I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the number of failed ssh attempts by running the following command:

[root@dev ~]# grep Failed /var/log/secure |grep "Feb 6" |wc -l

For instance, my server had 451 ssh attempts to login yesterday (February 6). If you check your secure log file you can surely find dozens, or hundreds of attempts logged like this:

Feb 6 15:21:31 dev unix_chkpwd[29018]: password check failed for user (root)
Feb 6 15:21:31 dev sshd[29016]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=root
Feb 6 15:21:33 dev sshd[29016]: Failed password for root from port 39272 ssh2
Feb 6 15:21:33 dev sshd[29017]: Received disconnect from 11: Bye Bye

There are lots of things you can do to protect your infrastructure. For instance, if you want to protect your server using iptables firewalling rules, you can implement geobased iptables rules or you can blacklist ip’s based on the number of failed attempts.

First check if you have iptables installed:

[root@dev ~]# rpm -q iptables

If you don’t, you may install it by running yum install iptables or apt-get install iptables. Next, I’ll show how simple is to protect your server based on the number of failed attempts from an IP address (limiting the number of ssh attempts). Take a look at the following rules files I’ve created:

[root@dev ~]# cat /root/iptables-rules 
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 --rttl --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 0/0 -p tcp -m tcp --dport 80 -j ACCEPT

The previous file specifies rules to accept SSH connections on port 22, but only allows 5 connections attempts each 10 minutes (600 seconds). It also allows everyone to access port 80 (http). To load these rules to iptables you only have to run the following commands:

[root@dev ~]# iptables-restore < /root/iptables-rules
[root@dev ~]# /etc/init.d/iptables save

With this simple measure your server is much more secure than without it. If you have any questions about iptables, linux, security measures or if you want any security consulting, please feel free to contact me.



1 Comment

  1. allianz private krankenversicherung

    I used to be suggested this blog via my cousin. I’m not sure whether this submit is written via him as nobody else realize such unique about my problem. You are wonderful! Thank you!

Leave a Reply