Securing SSH server against bruteforcing

Solution 1:

Fail2ban and Port Knocking should address most of your needs.

Changing your SSH port and only allowing Key-based authentication are also recommended.

It can be argued that you may reach a point of diminishing returns in adding additional security measures, but then again, it's up to you to decide when you're "secure enough".

It's also a good idea to disallow root login.

Solution 2:

There is no substitute for secure passwords AND key-authentication. That being said, Fail2Ban is a great tool for banning IPs of users who attempt to authenticate too many times. It's also available as a pre-built package for most distros. Be warned, you can accidentally get yourself banned, so make sure you have a recovery white-listed IP too or easy console access...

Fail2Ban has several good examples of how-to configure everything you asked... it does not however, have a universal repository of bad addresses. I don't think there is such a repository anyplace due to the ease of getting another IP (dhcp renew/bot-net attacks/etc...). I would also disable logging in via ssh using common 'administrator' type usernames (root/admin/administrator/sysop/etc..) as these are the most commonly banged on.


Solution 3:

I've stopped brute force attacks with:

  • fail2ban
  • sshd.config:
    • PasswordAuthentication No
    • PermitRootLogin No
  • Limiting SSH Connect rates with iptables (http://www.debian-administration.org/articles/187)

Solution 4:

There are a number of good suggestions offered here. I respectfully suggest that three things should make this relatively secure:

  1. Run the sshd on a random high port. The bots typically only go after port 22 and variations on port 22 like 2222.
  2. Disable password based authentication in the sshd config:

UsePAM no

  1. Only authenticate with this site via pre-shared SSH key pairs. Man on ssh-keygen to get started with PKI based authentication.

Hope this helps.