SSH Protection

jalvaradog

jalvaradog

Hi.
I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password, fortunately none of them its my user, i dont think will be that easy (but no impossible) to guess my password since has some security, you know, numbers upcase lowercase and stuff like that. Mi question is when the attack starts, can anyone tell me please how to stop it? or some advice about security for my server?

i hope everyone has a nice afternoon, thanks
 
You can try any one of the following:

Firewall ssh and allow access from your own static IP only.
  1. Use pf firewall to limit connection per second. See this example - http://keith.dev-x.net/2008/01/25/EnableAutomaticDefenceAganistSSHAttacksOnFreeBSDUsingPF.aspx
  2. Run ssh server on different port such as 322
  3. Turn off password based authentication and only use ssh public key based authentication
  4. Install denyhosts http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/denyhosts/ to drop attacking IPs.
  5. Disable root login.
 
I use sshguard which can use a variety of firewalls to block bruteforce attacks. Works like a charm.
 
Hey!
I'm new around this forum and already got some good info!!!
Thanks guys, i knew moving from Linux to FreeBSD wasn't bad idea!
I will be around and i will help this community...
 
SirDice said:
I use sshguard which can use a variety of firewalls to block bruteforce attacks. Works like a charm.
Click to expand...

I've increased the time an ip is kept in the ssguard table to 24 hours (-p 86400), so my daily security emails are shorter now :)

ps: i don't like to use services on non-standard ports, as i tend to forget the port ^^
 
jalvaradog said:
I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password
Click to expand...

If you have limited number of users or only you - use public key rather than password auth and don't worry about the dictionary attacks.

If for some reason you need to keep password auth available, then consider using a firewall - pf - to limit what dictionary attackers can do. Here's a snippet from my pf configuration:

Code: 
# view the table with "sudo pfctl -t ssh-offenders -T show"
table <ssh-offenders> persist 
# offenders lose ssh and get nothing else either - nada
block drop in quick from <ssh-offenders> to any
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 50, max-src-conn-rate 4/10, overload <ssh-offenders> flush)

You'll start to see addresses show up in the table soon enough. What the rule does is add any IP which attempts to make a ssh connection 4 times in 10 seconds to the table ssh-offenders.

Want to see where they are coming from? Install GeoIP from /usr/ports/net/GeoIP, run ``[font="Courier New"]sudo geoipupdate.sh[/font]`` to get the latest table installed, and then execute:

Code: 
for ip in `sudo pfctl -t ssh-offenders -T show`;do echo -n "$ip";geoiplookup $ip;done | sed 's/GeoIP Country Edition: /      /' | sort -t "  " -k 2,2

You'll get output like the following (a real example of who has been attacking one of my servers just commissioned over the past few days):

Code: 
201.48.0.117    BR, Brazil
117.32.129.38   CN, China
121.15.207.100  CN, China
123.233.245.226 CN, China
218.22.25.10    CN, China
219.134.242.67  CN, China
219.237.242.165 CN, China
221.122.102.17  CN, China
88.208.119.124  CZ, Czech Republic
217.219.67.86   IR, Iran, Islamic Republic of
194.177.97.103  IT, Italy
202.79.25.251   KH, Cambodia
93.95.65.44     MK, Macedonia
89.238.221.138  RO, Romania
140.113.217.150 TW, Taiwan
173.45.76.212   US, United States
 
Thanks to everyone

Hi...
Thanks everybody, i fixed the problem using pf, just a couple of weeks ago, sorry i didnt replay is just the time in my work... you most know
 
You must log in or register to reply here.
Back
Top