Preventive Measures to Block SSH Attacks - Even More Measures
(Page 3 of 4 )
When keeping up with the count of SSH attacks becomes hard, automated script solutions come to the rescue. DenyHosts is pretty popular and does the job. It is a Python script that runs in the background and analyzes your log files. When dubious attempts are found, such as multiple failed attempts from specific hosts, it takes preventive actions, such as denying those hosts--specifically banning them.
DenyHosts is really configurable; it has numerous options for setting thresholds, report generation, keeping a history, and all that. Basically, it parses the logs, and you can check them later on for offending hosts, which users are targeted/abused, etc. It is really useful even if all you do is set up DenyHosts, configure your limits, and then let it work in the background. Once limits are met, the hosts are blocked (/etc/hosts.deny).
It is beyond this article’s scope to present an entire configuration tutorial on how to set up DenyHosts, but if that’s what you want to do, you can find plenty of information. Maybe in a future article we will actually cover our best practices. But for now, let’s move on to present even more strategies to prevent SSH attacks!
SSHguard is another open-source project that acts similarly to DenyHosts. It also monitors the log files, and once dubious occurrences of login attempts are found, it blocks the hosts with firewall rules. It can operate with other protocol types, including SSH, but also others, such as FTP, IMAP, etc. It is compatible with most firewall suites on Linux (such as the popular Netfilter/iptables, PF, IPFilter, hosts.allow, etc.). It supports IPv6.
The third tool that we want to mention is called Fail2ban. It does the same job as the other two presented above. Please check out its set of features for more information.
If your server is already using a Netfilter/Iptables firewall, then you may consider the following implementation. What about limiting the count of incoming SSH connections? Things can become malicious when there are more than three attempts within a minute, for example. Since most SSH attacks happen really fast and “background” log monitoring utilities may fail to recognize them as soon as possible, this technique is a life-saver.
iptables -I INPUT -p tcp --dport X -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport X -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Please don’t forget to edit the above iptables rule accordingly. The number X after the --dport argument specifies the destination port number, which is your SSH daemon port. Moreover, the “eth0” is the NIC through which the server is reachable. The other arguments are specified the hitcount (4) within those 60 seconds and the action (drop).
And finally, there’s one more technique that you can research. It’s called Port Knocking. It’s one of the most advanced preventive measures that you can implement. It is not transparent at all, and sometimes can cause headaches until you can get it working. However, that one strategy really deserves an article of its own. But if you’re anxious, just Google it and you will find lots of worthwhile gems regarding SSH port-knocking.
