Block SSH Brute Force Attacks

By | 2015/02/17

I already advised in one of my previous post [1] to disable the root log-in on your Linux host. Neither the less, sometimes – somebody will try to attack you with an SSH Brute Force Attack. For those who are not familiar with brute force attacks, these are attacks, where all possible passwords are tested [2]. Starting from single digit passwords going to an undefined length you can imagine how much possibilities you will have to try. Therefore brute-force – and you can imagine that this will consume network bandwith on one side, but also processor load.

So as suggested in [1], set the root password according to modern standards and definitley turn off your ssh root log-in. Neither the less at a certain point somebody will try to perform a SSH brute force attack.

An indication for a ssh brute force attack is definitley if you find something like that in your /var/log/auth.log:

Feb 17 05:57:26 lvps5-35-244-75 CRON[30441]: pam_unix(cron:session): session closed for user root
Feb 17 05:58:12 lvps5-35-244-75 sshd[17899]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:14 lvps5-35-244-75 sshd[17899]: Failed password for root from 115.239.228.15 port 39623 ssh2
Feb 17 05:58:19 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:21 lvps5-35-244-75 sshd[17899]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:33 lvps5-35-244-75 sshd[17901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:35 lvps5-35-244-75 sshd[17901]: Failed password for root from 115.239.228.15 port 40071 ssh2
Feb 17 05:58:41 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:43 lvps5-35-244-75 sshd[17901]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:45 lvps5-35-244-75 sshd[17906]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:47 lvps5-35-244-75 sshd[17906]: Failed password for root from 115.239.228.15 port 52315 ssh2
Feb 17 05:58:56 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:58 lvps5-35-244-75 sshd[17906]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:01 lvps5-35-244-75 CRON[17913]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 17 05:59:01 lvps5-35-244-75 CRON[17913]: pam_unix(cron:session): session closed for user root
Feb 17 05:59:02 lvps5-35-244-75 sshd[17911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:04 lvps5-35-244-75 sshd[17911]: Failed password for root from 115.239.228.15 port 42931 ssh2
Feb 17 05:59:09 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:59:11 lvps5-35-244-75 sshd[17911]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:21 lvps5-35-244-75 sshd[17916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:23 lvps5-35-244-75 sshd[17916]: Failed password for root from 115.239.228.15 port 42738 ssh2 

So, what to do? Panic? No!

The solution is easy-cheesy: use iptables to slow down the flow of request. The idea is to drop any ssh connection coming from a single source which is trying to attempt 4 times in a minute. This can be done via the following command:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

If you watch your /var/log/auth.log, you will notice that the amount of connection attempts will decrease. So time to relax and having a cup of tee.

Please note that those rules are active until your next reboot. Actually I prefer to check out the rules first, before applying them permanently. If you are sure and you like to apply them permenently, please follow the official Ubuntu Howto [3].

Have a save day!

 

[1] jvr.at, Basic Security for Linux hosts

[2] Wikipedia, Brute Force Attach

[3] Ubuntu.com, iptables Howto

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.