Preventing Brute Force SSH Attacks

Many VPS customers are surprised at the number of failed SSH login attempts to their servers. By just having a listening server on the Internet, you will get dozens or even hundreds of brute force login attempts each day. Most of these attempts come from automated scripts running on other compromised machines. If you are tired of reading through the failed attempts in the logs, there are a number of things that you can to do block the attempts, or otherwise make them unsuccessful.

1- If you will always be connecting to your server from the same IP address, you can firewall off port 22 to everything EXCEPT your own IP address.

iptables -A INPUT -p tcp -d 0/0 -s YOUR.IP.GOES.HERE –dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 0/0 –dport 22 -j DROP

Then run ‚iptables-save‘

Note: if you setup IP tables this way then it may cause you to lose ssh access to your server if your IP ever changes. And it can also make access to your server by RimuHosting staff more difficult.  It will also obviously prevent you from connecting to your server except from that one source IP.

2- Run sshd on a non-standard port. Since most automated attacks only attempt to connect on port 22, this can be an effective way to hide from automated attackers. To configure this, just change the Port line in /etc/ssh/sshd_config and restart ssh

Port 1022

3- Use the AllowUsers directive in the ssh configuration to only allow certain users or IP’s. In /etc/ssh/sshd_config, you can specify a list of allowed users like this:

AllowUsers bob john root@ root@

This will allow users ‚bob‘ and ‚john‘ to log in from anywhere, and root is only allowed to log in from those two IP addresses.

4- Use strong passwords! Brute force attempts will try common passwords like words (or combinations of words) in a dictionary, names, and common passwords. Strong passwords generally use a combination of upper and lower-case characters, numbers, and non-alphanumeric characters.

5- Even better, don’t use passwords at all. Instead, install your public key on the server and use it to log in. If all of your users will use public keys, you can set PasswordAuthentication to ’no‘. To disable password authentication just for root, use ‚PermitRootLogin without-password‘. For Debian/Ubuntu, you’ll also need to turn off ‚UsePam‘ and ‚ChallengeResponseAuthentication‘.

6- If you need to permit logins from arbitrary addresses, consider using a program like DenyHosts or Fail2ban. They watch for failed logins and add the IP addresses of attackers to /etc/hosts.deny and/or update firewall rules to null route them. DenyHosts can also be configured to synchronize with a global database so you can proactively deny hosts that other users have blacklisted.  Keep in mind that mistyping your password when you try to log in will then probably lock you out of your VPS.

7- Use ‚hashlimit‘ in ‚iptables‘:

iptables -I INPUT -m hashlimit -m tcp -p tcp –dport 22 –hashlimit 1/min
–hashlimit-mode srcip –hashlimit-name ssh -m state –state NEW -j ACCEPT

This rule limits one connection to the SSH port from one IP address per minute.

For more information, ‚man iptables‘ and ‚iptables -m hashlimit –help‘.

8 – Use port knocking to completely hide the port your SSH server is listening too; example.  This will of course make it pretty complicated for you to log in.

If you manage to lock yourself out, you can always log in using your root password via the Console over SSH feature.