Today I have found that there is an IP in Turkey keep trying to login to my server, and I’ve found that my current settings has no protection against this brute-force login, so I did a Google search on this and would like to share with you guys.
To check if your server is currently being attacked via ssh, use this command
> tcpdump port ssh
sshd config
In CentOS, the sshd config is located at /etc/ssh/sshd_config, I have uncommented the following lines:
1 2 3 | LoginGraceTime 2m MaxAuthTries 6 PermitEmptyPasswords no |
you can also limit root access, allow only certain IP to access the ssh etc, however I’m using dynamic IP ISP and I’m used to root ssh access, so I only use these settings.
IPTables protection
Relying only on sshd_config is not enough, the attack host still keep sending login requests and could possibly paralyse the network traffic of linux box. I need to find a way to block (drop) the malicious packets. If I can achieve that, the attack bot will receive no response from my server as if my server is disconnected, and finally stop attacking my server. Now I need the correct iptables settings, I found this great Article : SSH Dictionary Attack Prevention with iptables, use these rules, you can prevent any host to initiate more than 4 SSH connections in a 60 seconds window. (You can adjust the parameter according to your needs). Note that if you have added a rule in the INPUT chain to allow SSH access, you need to remove them and add these rules. ( If you don’t have access to the server other than SSH, please change the rules carefully! Otherwise you may block yourself to access the server too! )
1 2 3 4 5 6 | iptables -N SSH_CHECK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK iptables -A SSH_CHECK -m recent --set --name SSH iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP iptables -A INPUT -p tcp -m multiport --destination-ports 22 -j ACCEPT iptables -A INPUT -j DROP |
You can add these to your iptables shell script, or add them to /etc/sysconfig/iptables. After setting all these, it’s a good practice to restart the services to make sure the configs are working.
> service sshd restart
> service iptables restart
Reference:
- http://aymanh.com/tips-to-secure-linux-workstation
- http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables