How to deal with SSH brute-force attacks

Anyone that has an SSH server running on default port (22) knows that every day, hundreds or sometimes thousands of breaking attempts are written in the logs. Some are from fully automated bots, others from possible human attackers, scanning a target at a time.

How this is done? It’s pretty simple. It’s just a program that tries the user root, or a dictionary of possible usernames, and a dictionary of possible passwords. If your password is in that dictionary, it’s game over for you.

There are many ways to protect against this, like blacklisting an IP address after a defined number of attempts. But you can always try to have some fun with it. This article is kind of old, but it’s worth taking a look.

By changing the source code of the openSSH server, adding a sleep(10) instruction in the authentication code, you can make anyone desperate trying to brake into your box.

Check it here.


This entry was posted on September 18th, 2008 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.

 
« Mac in portuguese train stations?
Script to detect and run gksudo or kdesudo in Linux »
 
 

5 Responses to “How to deal with SSH brute-force attacks”

  1. Luís Miranda
    18. September 2008 at 12:27

    I run mine on port 443, which helps bypass excessively restrictive firewalls, but if I didn’t I would probably use port knocking.

  2. Carlos Rodrigues
    18. September 2008 at 15:56

    Blacklisting the source after a certain number of attempts in a certain time interval is quite effective (and easy, with iptables), especially if done globally at the network firewall level.

    Or, if using iptables, one can use the TARPIT target. :)

  3. dottore #46
    18. September 2008 at 21:11

    iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource

    iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name DEFAULT –rsource -j LOG –log-prefix “SSH_BRUTE_FORCE ” –log-level 7

    iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name DEFAULT –rsource -j DROP

    Alterar o log-prefix e log-level para o desejado, e alterar o hitcount ou seconds para afinar a “sensibilidade”. Assim como está aceita no máximo 3 conexões por ip a cada 60 segundos. Se houver alguma conexão adicional, todo o tráfego tcp vindo desse ip será ignorado por 60 segundos, e cada tentativa de conexão subsequente fará esse contador voltar a 60 segundos.

  4. dottore #46
    18. September 2008 at 21:14

    Oops, sorry, major brain fart, that was supposed to be in english.

    Translation: Change the log-prefix and log-level accordingly, as well as the hitcount and seconds to fine tune the sensitivity. As is, it will accept 3 connections per ip every 60 seconds, ignoring all tcp traffic from the offending ip for 60 seconds after that. If there is any subsequent hit on port 22 during the 60 second grace period the clock will be rolled back to 60.

  5. Carlos Rodrigues
    20. September 2008 at 10:22

    With FireHOL (http://firehol.sourceforge.net), those commands could be reduced to “server accept ssh with recent SSH 30 4″.

Leave a Reply