Page 2 of 2
Re: SSH brute force attack prevention
Posted: 18 Jan 2010, 05:32
by Puma
Hello,
Can someone give me an example for using static IPTABLES based solution (only connection from a white listed IP adresses)
Thanks in advance
Puma
Re: SSH brute force attack prevention
Posted: 18 Jan 2010, 07:10
by Gerrard
I have been using the host.deny and hosts.allow to "protect" my bubba
In my host.deny I have this
ALL: ALL
and in my hosts.allow I have list of trusted hosts that I allow to connect
I this the best way approach this? Which problems can I expect? Should I use iptables instead=
Re: SSH brute force attack prevention
Posted: 18 Jan 2010, 21:55
by mcg
This is what I'm using. Add this to the end of your INPUT rules (in /etc/networking/firewall.conf)
Code: Select all
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSH
#-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH Attack: "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Note that I commented out the logging command. As I've written it, it would log every single attack attempt, and that might flood the log. I don't really care to do anything but drop those connections anyway, so I commented it out. There's a way to rate-limit the log messaging, which would be a great compromise, but I didn't bother to work that out.
Re: SSH brute force attack prevention
Posted: 26 Jan 2010, 03:53
by Adain
Thanks for taking the time to help, I really apprciate it.
Re: SSH brute force attack prevention
Posted: 01 Feb 2010, 17:01
by mad
Another way is to implement port knocking as described here:
http://forum.excito.net/viewtopic.php?f=8&t=1399
Re: SSH brute force attack prevention
Posted: 01 Feb 2010, 21:59
by mcg
Yes, that's a great alternative too. Only downside is that you have to have ready access to a knock client on any machine from which you intend to original an SSH connection. But honestly, I think that in my case, I would. Might have to look into this more.
Re: SSH brute force attack prevention
Posted: 02 Feb 2010, 17:02
by mad
mcg wrote:Yes, that's a great alternative too. Only downside is that you have to have ready access to a knock client on any machine from which you intend to original an SSH connection. But honestly, I think that in my case, I would. Might have to look into this more.
If you have telnet or a web browser on your computer you can use them to knock so thats pretty much a non issue. But yes it is a bit cumbersome.
Re: SSH brute force attack prevention
Posted: 03 Feb 2010, 01:42
by Eek
I have some practises I use to prevent being vulnerable to brute force attack
1. relocate the ssh port, from example not 22 but 6666, as all scanners are looking for easy targets on port 22.
2. only have ssh port exposed to those servers that i really need/want access to using ssh.
3. only allow a ssh key and not a password.
4. or have a really good password (system)
http://forum.excito.net/viewtopic.php?f=8&t=1007
tip: listen to
http://www.grc.com/sn