First steps in preventing DOS attacks
Considering the attacker's doing full tcp-ip handshakes, installing a HIDS like OSSEC or fail2ban should work quite nicely to automatically drop this traffic.
Moving SSH to an alternate port is not a bad idea. While it won't protect you from a determined attacker who takes the time to run a full portscan, it will in fact prevent 99.9999% of all attacks.
The vast majority of all public web servers will never even see a single determined attacker who would take the time to find your SSH port. However, all servers on the Internet can expect to have port 22 attacked, typically some tens of thousands of times per day, every day.
These SSH scans are automated, impersonal, and typically try a very limited number of passwords -- somewhere on the range of 10 to 10,000 attempts per attacker. So as long as all your SSH passwords are long and unpredictable, you should have nothing to worry about.
Nonetheless, SSH keys are always better than passwords. Particularly for root
, password authentication should be disabled altogether. Either disable direct login as root (preferred) or disable password authentication for root using PermitRootLogin without-password
in your sshd_config
file.
First simple solution is to ban IP address from where the attack is coming. This could be done on router or server itself. Usually afterwards the IP changes and attacks continues.
Updated: Another simple solution could be IP filtering. This could be done on router and on server firewall. This is applicable when you use SSH from certain destination only. Usually there could be some another machine used just as a doorway for multiple servers. Server would be just unreachable on that port for another IP's.
Another very simple solution could be to place SSH to different port number (as 9022, etc.) and leave 22 "empty". This is "security by curiosity". Updated: Server would be unreachable on port 22, but you are still vulnerable, when someone scans your ports.
To prevent brute force on server you can use SSHGuard which protects several services or another similar utility, as fail2ban mentioned before. Update: These tools will edit firewall rules automatically, usually according to parsing log files... and they can do a lot more.