sshdfilter: Stop SSH brute force attacks
One of my clients recently complained that one of the servers was a bit slow at times. Upon checking the logs I found a string of attacks against that server. People from Russia, China, Bolivia, the US and many other countries were running scripts to attempt to hack into the server.
I investigated many potential solutions. Then I came up with a plan. This method seems to be making it much more inconvenient to try to guess at the passwords. This is what I did.
The most important step is to audit which accounts can login through ssh. Only allow those who should have access to the system login. There is less of a chance that someone has a weak password, and there are less potential points of entry. This particular server was locked down from the start, and there are very few accounts that can login.
I then edited the /etc/ssh/sshd_config configuration file and disabled the SSH1 protocol. Change Protocol 1,2 to Protocol 2. There are apparently some security problems with SSH1. I did not dig into the details. Please add a comment to this post if you know why it is insecure. I also disabled root logins by making sure that PermitRootLogin no is set.
I initially wanted to make it so that upon entering an incorrect password one would be locked out for x amount of time. This is possible using PAM; however, it is my understanding that the SSH daemon uses a different method. There are ways to have the SSH Daemon use PAM; however, I did not want to make major changes to the system. The more changes I make, the more of a chance that something will not work correctly.
While researching, I stumbled upon sshdfilter. This script monitors ssh login attempts. When it detects that there is malicious activity, it adds a rule to iptables to block that user’s IP from connecting to the SSH Daemon. Iptables is very low-level as it is implemented in the kernel. This means that blocked attempts are simply dropped. There is very little overhead as they do not even make it to the SSH Daemon. Since the connection is dropped the script being used against the server will likely hang as it will no longer receive any packets from the server.
The install is not too difficult. Simply follow the instructions in the INSTALL file from the package. Make sure that the initial iptables rules that it instructs you to add will survive a reboot. sshdfilter needs to start up instead of your ssh daemon as it will in turn run your ssh daemon and monitor login attempts. You will need to make sure that this is reflected in your init scripts.
These changes will not make your server hack-proof. There is no such thing as an unhackable server. Implementing sshdfilter simply makes it less likely that someone running a dictionary attack against your server will be successful. My client has been very happy and the server has been running smoothly.
Additional resources:
- Whitedust: Recent SSH Brute-Force Attacks
- Diary of a geek - Mitigating against SSH brute force attacks using Netfilter and the recent module
- Linux.com | Protecting Linux against automated attackers
- SSH Key-based logins with Putty mini HowTO
- sshdfilter
- IPTables / Netfilter Recent Module
- daemonshield
- pyauthanalyzer
- pam_abl