Preventing a Large Number of Failed Login Attempts from FAKE SPOOFED IPs?

ssh spoofing

Solution 1:

You can try to use the program Fail2Ban https://www.fail2ban.org/wiki/index.php/Main_Page

That will automatic block the source IP from failed login attemtps.

It is working quite well, and you have a lot of options to configure it too. Like how many attepmts before get banned or how long it will be banned.

But you should consider if you really want to have SSH-open for the whole world. So if your machine is connected to Internet directly, I would recommend to use a firewall, with everything blocked by default. And open for ssh-only from that IP you need to be open.

Solution 2:

There are a few things which can take away the security risk of having SSH open to the world.

  • Fail2ban (mentioned already) is good. It supports blocking permanently or just for some time in the firewall.

  • Run SSH on a weird high level port, something above 8000. This doesn't stop anything, but there is a great reduction in traffic, since most script kiddies are probing port 22.

  • Ensure PermitRootLogin in sshd_config is not running with the value Yes. You don't need root logins happening over ssh. You can ssh in as a regular user then su. This way, there are two passwords needed to gain admin access (unless this is Ubuntu or similar, where a regular user has sudo powers).

  • Consider dual factor authentication. This can be done with commercial products like Duo, or using something like Google authenticator. The steps for that set up would come from the vendor.

  • Have email sent when there is a successful login. This allows you to know immediately if there is access, before a hacker has possibly had a chance to destroy any safe guards you've put in place. To do this, you need a session line added to /etc/pam.d/sshd that would look something like this:

    session required pam_exec.so /root/scripts/send-ssh-notice.sh

    There is a sample of a script that can provide the details in variables, and it is available at github: Github hosted sshlogin_alert.sh

    (Yes, I have provided a link in my answer, and why not? Github code is maintained, supports forks, and has good feedback. My posted answer will not be revisited by me in months or years ahead. In addition, credit should be given where it is due and this Github user has done a good job.)

Related

Fail2Ban iptables entries to reject HTTPS not stopping requests to Docker container on Amazon Linux 2
Linux driver for Intel ICH10R
Can somone explain this DMARC report? did it fail or pass? why am i getting these if they passed?
One-way traffic with port mirror HP-2610 to Hyper-V
Do I need a VNet?
SSH to EC2 instance timedout
How can I change a SMART attribute value?
How is nginx treating API requests?
Nginx handling relative paths causes 404 errors
Allow application through firewall Linux [duplicate]
apache2.service: Failed to run 'start' task: No such file or directory
zfs cannot create snapshot, out of space