Secure SSH against brute force

-
I have certain measures to secure SSH against Brute force attack (what is Brute force click h3r3 ?)

I'm writing this post to reply a question on Shorewall mailing list, and I got the idea that it may be relevant to many others of us.

I recommend doing the following but please remember it is all relative measure on how you want to do it !
0) Disable root login and use "sudo" or "su"
1) Options like these help (in /etc/sshd_config):
MaxAuthTries 4
MaxStartups 1:3:6

2) Disable password authentication in ssh and enable Certificate based authentication.
3) BlockHosts

BlockHosts, is a script written in Python, is easier to set up, maintain, and configure. The idea behind BlockHosts is to continuously scan a syslog file for SSHD failed login attempts, and add the IP addresses listed there (after a predetermined number of attempts have been exceeded) to the system's /etc/hosts.deny file -- a different approach from that of Daemon Shield, which uses iptables to block connection attempts.

After installing the software, run the included setup script (as described in the INSTALL file). The setup script copies and installs all of the necessary BlockHosts files to their proper locations:

python setup.py install -force

Once you have the BlockHosts script installed, begin configuration by editing the /etc/blockhosts.cfg file. BlockHosts comes with a default configuration file with all options commented out. Edit this file and uncomment each line suitable for your installation. All of the options are well-documented in the comments, and can be uncommented by removing the "#" at the beginning of each line.

Once your configuration file is ready, the next step is to prepare the /etc/hosts.deny (or /etc/hosts.allow, depending on your installation) for BlockHosts by copying the following lines (in their entirety) to your hosts.{deny|allow} file:

#---- BlockHosts Additions
#---- BlockHosts Additions
sshd:ALL:spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow
proftpd:ALL: spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow

These instructions tell the system to automatically run (spawn) the BlockHosts script (/usr/bin/blockhosts.py) each time a user attempts to connect to your system via either SSH or ProFTP. The script will then determine if the connecting host should be allowed access or be blocked.

Once you have completed these steps, can begin watching for dictionary attacks. Each blocked address will be added to your hosts.{deny|allow} file and prevented from accessing your machine for the specified length of time (specified by AGE_THRESHOLD in the /etc/blockhosts.cfg file).

4) sshdfilter

sshdfilter, which blocks dictionary attackers using iptables, and is very efficient in how it detects them. The sshdfilter script starts the SSHD service itself, and instructs SSHD to output all log details to stdout (which is then captured by sshdfilter). In this way, the script can detect attacks as they happen, in real time, and significantly reduces the overhead involved in searching for offenders.

Unfortunately, the sshdfilter script is more complex to set up and install than the Daemon Shield software, partly because the author has made distribution-specific installation files that failed for my (non-included) Mandriva system. Out-of-the-box configurations include Red Hat 7.3 and 9.0, Fedora Core 3, and Debian 3.1. Details exist for users who want to attempt an install on an unsupported system, though they appear to be highly platform-specific.

Employing the basic practices and scripts above, you can harden your Linux machine against many of the dictionary SSH attacks that plague Linux systems today. Keeping your system's software up to date goes a long way toward protecting yourself against many common security vulnerabilities that automated scripts attempt to take advantage of. Don't let your system be the jumping-off point for spam, additional system attacks, or even blackmail -- protect yourself with these practices today.

Comments

Samer Azmy said…
I have been through this as well
fail2ban, it works nice
http://www.fail2ban.org/wiki/index.php/Main_Page
18 October 2007 at 10:43
Post a Comment

Popular posts from this blog

Access Pay sites without payment or authentication

-
Guys, This is to Access pay/registration required sites for free I do not know if this will work with every site on the internet plex. but it worked on many sites for me. All what you need to do, is to make your web browser distinguish itself as Google Bot All of us have seen Google returns search results that lead to sites that require a registeration ?, How googlebot index the site without a registration ? Many sites want their site indexed in google to recieve more hits and thus, make more money with advertisment on their site. Even more interesting is the following question: How do we use this to our advantage ? It is Simple , we need to disguise ourselfs as the googlebot, many sites will let you in without authentication/registration. The parameter we have to change is called the User Agent. The user agent defines the browser and version that you use. For example it would show Internet Explorer as your browser if you are using this one. You need to alter your Browser settings to t
Read more

116 Open Source Application that you can use

-
Below is a list of Open Source application that I used/tried/researched. Please share your experience with us and add your application as well. 3D Animation Editor 1. White_Dune This 3D modeler and animation tool allows users to read, display, and perform low-level editing tasks on VRML97 files. VRML97, which stands for "Virtual Reality Modeling Language," is the current industry standard for displaying 3D animations on the Web. Operating system: Linux/Unix, OS X, Windows. Address Book 2. Rubrica Written using GNOME and GTK+, Rubrica stores contact information as XML data. It can import/export from a variety of formats, including GnomeCard, KAddressbook, Evolution, and csv file format. Operating system: Linux/Unix. Audio Tools 3. Audacity Audacity allows users to record live audio, convert tapes and records to digital formats, or mix pre-existing digital audio tracks. Supported formats include Ogg Vorbis, MP3, and WAV sound files. Operating system: Linux/
Read more

Complete HD Image Backup, Acronis Open Source alternate

-
Image
This Post to complete on Ghost Open Source alternate . It is called SNAP Backup, Snap backup makes a complete backup of your HD to a central server, it support incremental,differential. List Of Features One Click to Perform a Backup Configurable Settings Runs on Most Platforms (Including: Mac OS X, Linux, Solaris, and Windows) Supports Multiple Languages Support all Operating Systems (Linux,Windows , Mac) I may say that is is Aconis Open Source Alternate Screen Shot of the Client is below Link for SNAP Backup Utility h3r3.  .
Read more