Today I have found that there is an IP in Turkey keep trying to login to my server, and I’ve found that my current settings has no protection against this brute-force login, so I did a Google search on this and would like to share with you guys.

To check if your server is currently being attacked via ssh, use this command

> tcpdump port ssh


sshd config

In CentOS, the sshd config is located at /etc/ssh/sshd_config, I have uncommented the following lines:

you can also limit root access, allow only certain IP to access the ssh etc, however I’m using dynamic IP ISP and I’m used to root ssh access, so I only use these settings.

IPTables protection

Relying only on sshd_config is not enough, the attack host still keep sending login requests and could possibly paralyse the network traffic of linux box. I need to find a way to block (drop) the malicious packets. If I can achieve that, the attack bot will receive no response from my server as if my server is disconnected, and finally stop attacking my server. Now I need the correct iptables settings, I found this great Article : SSH Dictionary Attack Prevention with iptables, use these rules, you can prevent any host to initiate more than 4 SSH connections in a 60 seconds window. (You can adjust the parameter according to your needs). Note that if you have added a rule in the INPUT chain to allow SSH access, you need to remove them and add these rules. ( If you don’t have access to the server other than SSH, please change the rules carefully! Otherwise you may block yourself to access the server too! )

You can add these to your iptables shell script, or add them to /etc/sysconfig/iptables. After setting all these, it’s a good practice to restart the services to make sure the configs are working.

> service sshd restart
> service iptables restart


Reference:

1.  http://aymanh.com/tips-to-secure-linux-workstation
2. http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables