Protecting OpenSSH

From Gentoo Linux Wiki

There are several different methods of protecting OpenSSH from various different attacks. This article is intended to outline the various methods.

Contents 1 Automatic blocking of brute-force attempts 1.1 Swatch 1.2 DenyHosts 1.3 iptables 1.4 sshdfilter 1.5 fail2ban 2 Other Methods 2.1 Use Public Key Authentication 2.2 Changing the listen port 2.3 Port Knocking 2.4 Rate Limit New Connections 2.5 Turn on the SSH Daemon from PHP

[edit] Automatic blocking of brute-force attempts

[edit] Swatch

Swatch is a Perl-based system log watcher.

[edit] DenyHosts

DenyHosts is a Python script analyzing the OpenSSH server log determining if hosts are attempting to break into your system. DenyHosts also determines which user accounts are being targeted and keeps track of the frequency of attempts from each host.

[edit] iptables

You can use iptables to make sure the right ports are accessible to the right people at the right time. It is very flexible.

[edit] sshdfilter

sshdfilter executes SSHd itself, and so blocks can be initiated instantly (the program is constantly monitoring the log messages produced by SSHd). It also logs all attempts and a supplied Logwatch script can give you periodical summaries. If it discovers an attack attempt (by default, one attempt to log on with an invalid username, or three attempts to log on with a valid username), it creates an iptables rule which blocks the IP address of the attacker from connecting to the SSHd port.

[edit] fail2ban

Fail2ban scans log files, like /var/log/pwdfail or /var/log/apache/error_log, and blocks incoming connections from IP adresses that cause too many authentication failures. It updates firewall rules or hosts.deny to do so.

[edit] Other Methods

[edit] Use Public Key Authentication

Public Key authentication is practically impossible to brute force in any reasonable amount of time. Using public key authentication and disabling normal password authentication can significantly increase security. More information about setting up public key authentication can be found here.

[edit] Changing the listen port

By default OpenSSH listens on port 22. Many automated attack tools will only try connecting to this port. You can change the listen port by using the "Port" directive in /etc/ssh/sshd_config. The disadvantage of this is that you will have to specify the port number every time you want to connect. Also note that many attack tools will scan the entire port range (and will therefore find your server), so this method is of limited use, and is normally best combined with other methods.

[edit] Port Knocking

Port Knocking prevents anyone from connecting to the server unless they know the right knock. This works by setting your firewall to deny all connections to the OpenSSH port (normally 22) by default. Then when somebody makes the right "knock" the firewall is automatically configured to allow them to connect (note that they still need to correct authentication details to be able to log in).

[edit] Rate Limit New Connections

You can use the following iptables rules to reject more than a certain number of connections per minute. This won't prevent brute force attacks, but it can slow them down.

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

[edit] Turn on the SSH Daemon from PHP

You can disable SSH per default (even not having the SSH server running) and enable via a Web interface (i.e., via PHP).