Chuck's Blog

Consistently I see SSH brute force attacks on my server that show up like the following in my /var/log/auth.log file

Apr  9 07:34:15 wine sshd[2323]: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=122.160.86.167  user=root
Apr  9 07:34:20 wine sshd[2325]: reverse mapping checking getaddrinfo for
abts-north-static-167.86.160.122.airtelbroadband.in failed - POSSIBLE BREAK-IN ATTEMPT!
Apr  9 07:34:20 wine sshd[2325]: (pam_unix) authentication failure; logname=
 uid=0 euid=0 tty=ssh ruser= rhost=122.160.86.167  user=root
Apr  9 11:01:34 wine sshd[2545]: (pam_unix) authentication failure; logname=
 uid=0 euid=0 tty=ssh ruser= rhost=aplessis-bouchard-101-1-4-170.w193-253.abo.wanadoo.fr  user=root

Usually these aren’t a problem if you use a secure password, but there may come that day when your password fails you. So if you don’t want to take this risk try creating another user account with sudo/su privileges and follow the following instructions.

I’ll assume your using Debian. If not than you just need to find these packages for your repective distribution and install them as usual.

apt-get install denyhosts

This will install DenyHosts, a small python program designed to monitor your auth.log file’s and add suspected brute-force IP’s to your /etc/hosts.deny file. You’ll want to change the following parameters in DenyHosts configuration file, /etc/denyhosts.conf

PURGE_DENY = 1w
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_RESILIENCY = 2d

Once you’ve changed the previous values to match the above you need to restart DenyHosts.

/etc/init.d/denyhosts restart

Now change the entries in /etc/ssh/sshd_config to match the below

PermitRootLogin no

Then restart the ssh daemon

/etc/init.d/ssh restart

Your server should be safe from the majority of brute-force attacks now. If you want to take this even further try looking into public key authentication, which offers the ability to forgo passwords completly on your machine and rely on trusted certificates.