Security: SSHD Brute Force Attacks On The Rise

You've read the thread in various blogs where yet another smug Unix/Linux/Mac gearhead refuses to admit they have any security issues.  And then the obligatory blog comments flame war ensues.

If you've run any *ix box with sshd Secure Shell service running that takes full exposure to the Internet, say open with the default port 22, and have looked at your /var/log/messages (or wherever your distro stores sshd messages) file, you know that it has become a 'free-for-all'.

Every day, brute force dictionary-based attacks are run from points far and wide across the globe.  Some areas score a higher frequency than others.  China and South Korea are the leaders and the attacks often come overnight.  Here's what a typical brute-force sshd attack looks like as recorded in the log:




Things you can do to harden your system:

• Edit your /etc/ssh/sshd_config and set "PermitRootLogin no" "Protocol 2"
  
• Use passwordless Public Key Authentication, with "UsePAM no" in sshd_config.
• Make system login ids and passwords as strong as possible
• Install brute force detection software, such as DenyHosts or fail2ban
• Move ssh from port 22 to a port above 1024
• Set up a Firewall rule to 'rate limit' sshd

You should strongly consider using the passwordless Public Key method.  Setting "UsePAM no" will turn off PAM authentication so that remote connect attempts won't prompt for a login/password.  But, there may be times when remote access makes Public Key access impractical.  So, in that situation you'll want to use a "UsePAM yes" setting.

As I've said, port 22 takes a lot of hacking every day, so I've installed DenyHosts.

When the hack involves a fixed ip source, DenyHosts will add the offending ip to /etc/hosts.deny after the fifth failed login attempt.  Denyhosts works by scanning the /var/log/messages file.

When the hack involves a variable (forged) ip, and the scan is done in such a way that each successive login attempt comes from a 'bogus' source ip, these brute force attempts 'fly below the radar' so to speak of DenyHosts.

Moving the port 22 to another one above 1024 can reduce the brute force attempts but is not a guarantee they won't occur. 

You should be able to filter these sshd attacks and you can by adding two rules to your server's Firewall.  In openSUSE 11.0 you can add custom iptable rules to /etc/sysconfig/scripts/SuSEfirewall2-custom.  Putting the rules there will ensure that they will get applied any time you ifup/ifdown your eth0 interface or restart the Firewall or server.

These two lines have eliminated brute force attacks for the most part:



The two directives 'rate limit' ssh connection attempts to a maximum of 8 within a one minute time frame.

For those offenders who should be 'banned' from your system, add the file /etc/badips and this script to the SuSEfirewall-custom as well:

### BEGIN BAD IPS
if [ -f /etc/badips ]
then
  for BAD_IP in `cat /etc/badips`
    do
      iptables -I INPUT -s $BAD_IP -j DROP
      echo 'ip '$BAD_IP' banned'
      echo
    done
else
  echo "Can't read /var/badips"
fi
### END BAD IPS

Should you need to ban an ip, add each to /etc/badips on a separate line--restart the Firewall and they're history.

A directive from the root prompt of "iptables -L | more" will confirm your firewall settings.
A directive of "/sbin/SuSEfirewall2 status | more" will show you in summary form the iptable activity.

There are other security measures you can put into place such as Tarpit, but the above recommendations should put the sshd hackers out of business.

Thanks and Be Safe!
--Dietrich