What tool or technique do you use to prevent brute force attacks against your ssh port. I noticed in my Security logs, that I have millions of attempts to login as various users through ssh.
This is on a FreeBSD box, but I imagine it would be applicable anywhere.
I use fail2ban which will lock an IP out after several failed attempts for a configurable amount of time.
Combine this with password strength testing (using john (John the Ripper)) to ensure brute-force attacks will not succeed.
Here's a good post on that subject by Rainer Wichmann.
It explains pros and cons on theses methods to do it :
Ons small thing you can do is use something like DenyHosts:
http://denyhosts.sourceforge.net/
It uses the built-in hosts.allow/hosts.deny to block out SSH abusers.
One of the easiest ways to avoid these attacks is to change the port that sshd listens on
In addition to the other good suggestions, one really easy thing to do is rate-limit incoming connections. Limit to 3 connections per minute per IP:
iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
As Chris points out, use encryption keys instead of passwords.
Add to that:
How many people or locations (with floating public IPs) do you really need accessing your public ssh connections ?
Depending on the number of public ssh hosts you are maintaining and whether you can narrow down your general connection criteria's then it may be a simpler, maintanable configuration to limit access to a few external hosts.
If this works for you, it can really simplify your administration overhead.
Use the "AllowUsers" option in sshd_config to ensure only a small set of users can log in at all. All others will get rejected, even if their username and password are correct.
You can even restrict users to logins from a particular host.
e.g.,
AllowUsers user1 user2@host.example.com
This will reduce the search-space and avoid those old users which have accidentally been left laying around or enabled (although these of course should be disabled anyway, this is an easy way to stop them being used for an SSH-based entry).
This doesn't entirely stop the brute-force attacks, but helps reduce the risk.
Use something like that with PF:
table <ssh-brute> persist
block in quick log from label ssh_brute
pass in on $ext_if proto tcp to ($ext_if) port ssh modulate state \
(max-src-conn-rate 3/10, overload flush global)
Further to sherbang's rate-limiting suggestion, the length of the delay is important. By increasing the delay between groups of 3 login attempts from 2 minutes to 20 minutes, the number of different IP addresses that made more than three attempts to login dropped, comparing two week-long periods on one machine of mine, from 44 attempts to 3. None of those three addresses kept trying for longer than 11 hours.
Very anecdotal, but auth.log became a whole lot more readable for me...
Port-knocking is a pretty solid way to keep this sort of thing out. Slightly fiddly, sometimes annoying, but it definitely makes the issue go away.
I just don't care about it. Let them belt away at the port, they're not going to brute-force a key.
Context is important, but I'd recommend something like so:
install OSSEC. not only it monitors for repeated logins, it will enter a temporary block with iptables for the offending ip. And at the end it will send you a report stating the details. it logs everything, which is nice. Somone once tried over 8000 login names to log in with. i parsed the logs and got a nice user list out of deal ;)
