LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Protect server from brute force attack via ssh (http://www.linuxquestions.org/questions/linux-security-4/protect-server-from-brute-force-attack-via-ssh-430427/)

babysparrow 03-31-2006 04:37 PM

Protect server from brute force attack via ssh
 
My /var/log/messages shows repeated sustained brute force attacks are occuring on a regular basis.

I am frustrated that I cannot stop ssh from gleefully accepting repeated login attempts from the same ip despite hundreds of failures.

Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?

Or is there some other way to deal with this ?

(I thought SE Linux might do something about this - but I've had a lazy shuffle around there and it does not seem to)

Caeda 03-31-2006 04:42 PM

You mean something like the command in the help files...

ip ssh authentication-retries retryLimit

which you just have to type in? :p :D :jawa:

babysparrow 03-31-2006 04:52 PM

Thanks Caeda, I don't have a cisco router. I'm using a netgear DG814 dsl modem/router and really need some way to get FC4 to do the work itself.

I've probably missed something here again - sorry to appear a bit stupid.

int0x80 03-31-2006 04:54 PM

Well there is this (sticky) link -- http://www.linuxquestions.org/questi...d.php?t=340366
Also you can just run your SSH daemon on a different port. I haven't had one log of SSH brute force since I changed the port OpenSSH listens on.

babysparrow 03-31-2006 05:02 PM

Thanks int0x80. Problem with that one is that if I change the default port, then I won't be able to access it myself from some of my client sites - or at least it would require a firewall change to do so (and that ain't gonna happen).

I'm just griping now, but I can't believe that ssh2.0 has no built in mechanism to at least try to deal with this. Well never mind.

haertig 03-31-2006 05:15 PM

Quote:

Originally Posted by babysparrow
Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?

www.google.com ... enter "denyhosts" ... first hit! :)

[edit] Here are the DenyHosts features: http://denyhosts.sourceforge.net/features.html [/edit]

michaelsanford 03-31-2006 10:00 PM

Quote:

Originally Posted by babysparrow
Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?

There are a few ways. Assuming you are either the only one who logs in, or you have a small group, briefly:

a) sshd_config > MaxAuthTries 1
b) sshd_config > PasswordAuthentication no

(a) will reduce the number of attempts that the brute machine can make on any single connection attempt.
(b) will force the client (you) to use public-key authentication and will automatically deny the user access if he doesn't have a valid public key. There's a how-to here for that.

Then, probably the best for your situation
(c) sshd_config > HostbasedAuthentication yes

Check the manpage for that last one. Basically it will only even bother to try to get credentials from a user who is connecting from a particular set of pre-defined hosts and drop everyone else.

There are also firewall rules you can implement for this that will limit the number of attempts on a given port in a given amount of time. If you set something like -m limit --limit 5/m --limit-burst 5 -j REJECT you're telling the firewall to reject the packet if more than 5 per minute come in. You'd have to set a really long interval like this for it to make any difference. BUT you probably don't want to do that! Why? Well, what if YOU try to log in once the limit is reached? You won't be able to until the firewall timer has expired. Now, what if your attacker continues his attack for hours? You can't log in until he finishes his attack, which, if it's brute-force automated set-then-go-to-bed, it could be hours. If it's from Sing., like mine all have been, he'll be sleeping while you're on the clock at work. Not a good combo.


All times are GMT -5. The time now is 02:50 AM.