Securing your server from bruteforce SSH attacks
Consistently I see SSH brute force attacks on my server that show up like the following in my /var/log/auth.log file
Apr 9 07:34:15 wine sshd[2323]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.86.167 user=root Apr 9 07:34:20 wine sshd[2325]: reverse mapping checking getaddrinfo for abts-north-static-167.86.160.122.airtelbroadband.in failed - POSSIBLE BREAK-IN ATTEMPT! Apr 9 07:34:20 wine sshd[2325]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.86.167 user=root Apr 9 11:01:34 wine sshd[2545]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=aplessis-bouchard-101-1-4-170.w193-253.abo.wanadoo.fr user=root
Usually these aren’t a problem if you use a secure password, but there may come that day when your password fails you. So if you don’t want to take this risk try creating another user account with sudo/su privileges and follow the following instructions.
I’ll assume your using Debian. If not than you just need to find these packages for your repective distribution and install them as usual.
apt-get install denyhosts
This will install DenyHosts, a small python program designed to monitor your auth.log file’s and add suspected brute-force IP’s to your /etc/hosts.deny file. You’ll want to change the following parameters in DenyHosts configuration file, /etc/denyhosts.conf
PURGE_DENY = 1w SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_RESILIENCY = 2d
Once you’ve changed the previous values to match the above you need to restart DenyHosts.
/etc/init.d/denyhosts restart
Now change the entries in /etc/ssh/sshd_config to match the below
PermitRootLogin no
Then restart the ssh daemon
/etc/init.d/ssh restart
Your server should be safe from the majority of brute-force attacks now. If you want to take this even further try looking into public key authentication, which offers the ability to forgo passwords completly on your machine and rely on trusted certificates.
