How to stop/prevent SSH bruteforce

Solution 1:

How to gain access?

It's not clear why you can't access your account.

If your machine is under attack or high load, you should talk to your provider about restricting access (IP Restrictions) or taking the server offline (disconnect from the Internet).

You might also require out of band access which your provider may be able to help with.

If somebody has compromised your server you may need to restore from backups or use a recovery image.

How to prevent attacks on your server, in particular SSH

best way to prevent brute force logons?

Don't let them get to your machine in the first place! There are plenty of ways to stop brute force attempts before they get to your host, or even at the SSH level.

Having said that, protecting your Operating System with something like fail2ban is a great idea. http://en.wikipedia.org/wiki/Fail2ban

Fail2ban is similar to DenyHosts ... but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny.

There are a number of important security techniques you should consider to help prevent brute force logins:

SSH:

  • Don't allow root to login
  • Don't allow ssh passwords (use private key authentication)
  • Don't listen on every interface
  • Create a network interface for SSH (e.g eth1), which is different to the interface you serve requests from (e.g eth0)
  • Don't use common usernames
  • Use an allow list, and only allow users that require SSH Access
  • If you require Internet Access...Restrict Access to a finite set of IPs. One static IP is ideal, however locking it down to x.x.0.0/16 is better than 0.0.0.0/0
  • If possible find a way to connect without Internet Access, that way you can deny all internet traffic for SSH (e.g with AWS you can get a direct connection that bypasses the Internet, it's called Direct Connect)
  • Use software like fail2ban to catch any brute force attacks
  • Make sure OS is always up to date, in particular security and ssh packages

Application:

  • Make sure your application is always up to date, in particular security packages
  • Lock down your application 'admin' pages. Many of the advice above applies to the admin area of your application too.
  • Password Protect your admin area, something like htpasswd for web console will project any underlying application vulnerabilities and create an extra barrier to entry
  • Lock down file permissions. 'Upload folders' are notorious for being entry points of all sorts of nasty stuff.
  • Consider putting your application behind a private network, and only exposing your front-end load balancer and a jumpbox (this is a typical setup in AWS using VPCs)

Solution 2:

how can i surpress this attack and prevent following attacks

Usually i change the default ssh port from 22 to another like 1122. This prevent many automatic attacks from bot, but a simple port scan can detect it. Anyway:

vi /etc/ssh/sshd_config

and edit Port 22 to Port 1122, but this is not enough.

Automatic IPTables rules on bruteforce

i use log2iptables https://github.com/theMiddleBlue/log2iptables instead Fail2ban, because is a simple Bash script that parse any logfile with a regular expression and execute iptables. For example when 5 matches occur, log2iptables drop the specific ip address. It's cool because use Telegram API and can send me a message on my phone when he find a problem :)

hope this will help!


Solution 3:

I've just put this together, run every 15 mins as a cronjob etc:

for z in `grep Invalid /var/log/auth.log | awk '{ print $NF }' | sort | uniq`
do
  count1=`grep $z /etc/hosts.deny | wc -l`
  count2=`grep Invalid /var/log/auth.log | grep $z | wc -l`
  if [ $count1 -eq 0 -a $count2 -gt 10 ] ; then
    current=`egrep "^ssh" /etc/hosts.deny | sed 's/sshd[ :,]*//'`
    sudo cp /etc/hosts.deny.bak /etc/hosts.deny
    sudo chmod 666 /etc/hosts.deny
    if [ $current ] ; then
      echo "sshd : $current , $z" >> /etc/hosts.deny
    else
      echo "sshd : $z" >> /etc/hosts.deny
    fi
    sudo chmod 644 /etc/hosts.deny
  fi
done