One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Message-ID: <479F2A63.2070408@xxxxxxxxxx>

On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny@xxxxxxxxxx>
Subject Was:  Unknown rootkit causes compromised servers

>
> SOME of the script kiddies check higher ports for SSH *_BUT_* I only see
> 4% of the brute force attempts to login on ports other than 22.
>
> I would say that dropping brute force login attempts by 96% is quite a
> good reason to move the SSH port from 22 to something else.

I am not a fan of security through obscurity.  If a port is open to the
internet then it must be secured whether it is well known or not and if it is
properly secured then changing the port number customarily assigned provides
no measurable benefit.  In my opinion, arbitrarily switching port numbers for
well known services provides only the illusion of security while often
inconveniencing the legitimate users in unpredictable, and sometimes
expensively resolved, fashions.

To deal with brute force attacks (not just on ssh) I spent some time tracking
down how others had dealt with the problem. I discovered thereby that one can
use the simple linux firewall iptables to restrict the number of connections
to a given port from a single source over a specified interval. I therefore
added these rules to my /etc/sysconfig/iptables file:

...
# This is usually present in all setups but, you never know....
# Established connections go right through.
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...

# Block brute force attacks
# Drop repeated ssh connection attempts within 20 seconds interval
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22
--state NEW -j DROP  --rcheck --seconds 20 --name THROTTLE --rsource

# Accept ssh connection if not attempted within past 20 sec.
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22
--state NEW -j ACCEPT  --set --name THROTTLE --rsource

You can change the interval from 20 seconds to whatever you feel represents a
decent compromise between user satisfaction and security.  Many authorities
considered a value between 3 and 6 seconds sufficient to render brute force
attacks impractical.  These rules can be trivially modified to protect any
destination port (-dport 21 for ftp for instance) or protocol (-p udp).

I hope this information is of use to some of you.  I find this list and its
archives very helpful myself.

Regards,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux