Recent Changes - Search:




Preventing Brute Force SSH Attacks

If you will always be connecting to your server from the same IP address, you can firewall off port 22 to everything EXCEPT your own IP address.

iptables -A INPUT -p tcp -d 0/0 -s your-ip-address --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP

Then run 'iptables-save'

Hide from automated attackers.

To configure this, just change the Port line in /etc/ssh/sshd_config and restart ssh

Port 23022

In /etc/ssh/sshd_config, you can specify a list of allowed users like this:

AllowUsers itm admin [email protected] [email protected]

This will allow users 'itm' and 'admin' to log in from anywhere, and root is only allowed to log in from those two IP addresses.

Use tools like DenyHosts or Fail2ban

Use 'hashlimit' in 'iptables:

iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 23032 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT

This rule limits one connection to the SSH port from one IP address per minute.

root@server3:~# iptables -m hashlimit -help
iptables v1.4.10

Usage: iptables -[AD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Either long or short options are allowed.
  --append  -A chain		Append to chain
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
				List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
				Print the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
				Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
            -E old-chain new-chain
				Change chain name, (moving any references)
[!] --proto	-p proto	protocol: by number or name, eg. `tcp'
[!] --source	-s address[/mask][...]
				source specification
[!] --destination -d address[/mask][...]
				destination specification
[!] --in-interface -i input name[+]
				network interface name ([+] for wildcard)
 --jump	-j target
				target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
[!] --out-interface -o output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter')
  --verbose	-v		verbose mode
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.

''hashlimit match options'':
  --hashlimit-upto <avg>           max average match rate
                                   [Packets per second unless followed by 
                                   /sec /minute /hour /day postfixes]
  --hashlimit-above <avg>          min average match rate
  --hashlimit-mode <mode>          mode is a comma-separated list of
                                   dstip,srcip,dstport,srcport (or none)
  --hashlimit-srcmask <length>     source address grouping prefix length
  --hashlimit-dstmask <length>     destination address grouping prefix length
  --hashlimit-name <name>          name for /proc/net/ipt_hashlimit
  --hashlimit-burst <num>	    number to match in a burst, default 5
  --hashlimit-htable-size <num>    number of hashtable buckets
  --hashlimit-htable-max <num>     number of hashtable entries
  --hashlimit-htable-gcinterval    interval between garbage collection runs
  --hashlimit-htable-expire        after which time are idle entries expired?


Edit - History - Print - Recent Changes - Search
Page last modified on November 01, 2011, at 07:02 AM