SSH Brute Force

Portal Home > Knowledgebase > Articles Database > SSH Brute Force

Posted by usdedi, 10-10-2013, 05:30 AM
I have Netscreen firewall everyday there is log about SSH Brute Force. i'm kind of worried. so is there any open source software for protect brute force on the linux machine. thank you.
Posted by EthernetServers, 10-10-2013, 05:34 AM
Have you considered CSF/LFD? http://configserver.com/cp/csf.html You can configure brute force protection to block IP addresses after x amount of failed login attempts.
Posted by LeaseWeb - Simos, 10-10-2013, 05:48 AM
If you are still using port 22 considering changing it. You can also use fail2ban which scans your logs and bans the IPs that are trying to Brute Force your server.
Posted by Andrew-x, 10-10-2013, 05:55 AM
The best way to do it is to block IP's, as above said.
Posted by kevincheri, 10-10-2013, 06:03 AM
A software firewall like csf-lfd will be needed, and also change the SSH port to not something common. Still, there will be attempts to get through, they are common.
Posted by khunj, 10-10-2013, 12:46 PM
You can close your SSH port (and any other similar port used for admin purposes) and use port knocking. knockd is a small daemon easy to set up.
Posted by BrianHarrison, 10-10-2013, 12:55 PM
Firewalls with SSH brute force blocking are great, but if you use a strong password and enforce strong passwords on every user who you have granted SSH access then you don't have too much to worry about. Those SSH brute force attacks will only attempt a short list of common passwords, they're not running an actual brute force attack which would involve attempting every possible password in sequential order.
Posted by usdedi, 10-10-2013, 07:43 PM
there are too many different attack ips. so hard to block.
Posted by usdedi, 10-10-2013, 07:46 PM
i will install fail2ban and change ssh port thank you for all helping me
Posted by Vex76, 10-11-2013, 03:06 AM
You can also restrict your administrative users (root/admin etc) to connect only from particular IP addresses. man sshd_config man ssh_config
Posted by prashant1979, 10-15-2013, 02:26 AM
Does Netscreen block the Brute Force? If yes, then you don't need to worry as far as it is able to block the attacks. Also, you should consider changing Password Authentication to Public Key authentication and also change the SSH port for more security.
Posted by BitaTel, 10-15-2013, 08:52 AM
The best idea is to use a whitelist acl approch instead of blacklisting the attacking IPs. Drop all SSH traffic except for IPs specifically in your whitelist, different attackers will always come if you simply leave the port open.
Posted by Kailash12, 10-16-2013, 01:48 AM
The best practice: [1] Change default SSH port [2] Disable password authentication or at least disable direct root login [3] Restring SSH service to your local IP addresses only
Posted by A1dedicatedservers, 10-16-2013, 07:07 PM
1 for CSF. highly recommended. This will solve 80% of your servers problems and attacks.
Posted by iexo, 10-16-2013, 07:18 PM
Agreed. My Blackberry inbox is nearly 90% ban logs from our servers, then it's the job of my abuse tech to go through these and report them all. Of course you aren't forced to report but how I see it, it could stop them coming back. I do like to read the logs though to see where they're coming from. I see lots of China and Russia for sure!
Posted by Lee-RackSRV, 10-17-2013, 08:28 AM
This^, every time :-)!
Posted by cloudrck, 10-17-2013, 11:25 PM
I would do away with passwords and just use keys. You essentially want to make it take ages to brute force your server. Use something like fail2ban to deal with the source IP addresses of such attacks.
Posted by UltratechHostSales, 10-18-2013, 09:52 AM
Also you need to have a strong password not a dictionary or any simple password, Password must be at least 8-12 character with Uppercase, Lowercase, Special Character and Numbers
Posted by Buycpanel-Kevin, 10-18-2013, 07:56 PM
You could try generating ssh key's for login.
Posted by brianoz, 10-18-2013, 10:37 PM
You're complaining about ssh logentries for brute force and you're running your sshd on port 22? That's part of life, it's automated, continual, and will probably only get worse over time. Sounds like Netscreen is doing it's job. You can install an additional layer of protection in CSF/LFD (www.configserver.com) as discussed, and you might also look at getting them to harden your server at the same time. prices a little, but your server will never get hacked. However, you should look at changing your ssh port from 22 to something else (large number, eg 44022 etc) which will reduce this confusing log noise. The change doesn't make your server more secure, but it stops the random attacks and who knows, may save you in the future (it did save some people when the libkeyutil hack was out). Sometimes these little layers of security (small changes) can have a good cumulative effect.
Posted by bizness, 10-19-2013, 01:54 AM
fail2ban is easy to configure and customize for more than just ssh brute.