Today I have found that there is an IP in Turkey keep trying to login to my server, and I’ve found that my current settings has no protection against this brute-force login, so I did a Google search on this and would like to share with you guys.
To check if your server is currently being attacked via ssh, use this command
> tcpdump port ssh
In CentOS, the sshd config is located at /etc/ssh/sshd_config, I have uncommented the following lines:
you can also limit root access, allow only certain IP to access the ssh etc, however I’m using dynamic IP ISP and I’m used to root ssh access, so I only use these settings.
Relying only on sshd_config is not enough, the attack host still keep sending login requests and could possibly paralyse the network traffic of linux box. I need to find a way to block (drop) the malicious packets. If I can achieve that, the attack bot will receive no response from my server as if my server is disconnected, and finally stop attacking my server. Now I need the correct iptables settings, I found this great Article : SSH Dictionary Attack Prevention with iptables, use these rules, you can prevent any host to initiate more than 4 SSH connections in a 60 seconds window. (You can adjust the parameter according to your needs). Note that if you have added a rule in the INPUT chain to allow SSH access, you need to remove them and add these rules. ( If you don’t have access to the server other than SSH, please change the rules carefully! Otherwise you may block yourself to access the server too! )
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -p tcp -m multiport --destination-ports 22 -j ACCEPT
iptables -A INPUT -j DROP
You can add these to your iptables shell script, or add them to /etc/sysconfig/iptables. After setting all these, it’s a good practice to restart the services to make sure the configs are working.
> service sshd restart
> service iptables restart