Securing SSH server against bruteforcing

I have a little SVN server, old dell optiplex running debian. I don't have that high demands on my server, because its just a little SVN server... but do want it to be secure.

I just renewed my server to a newer and better optiplex, and started looking a bit into the old server. I took it down after experiencing problems. When I check the logs, its full of brute-force attempts and somehow someone has succeeded to enter my machine. This person created some extra volume called "knarkgosse" with two dirs "root" and "swap1" or something. Don't really know why and what they do, but sure do want to prevent this from happening again. I find this a bit strange though because I change my password ever few months or so, and the passwords are always random letters and numbers put together... not easy to brute-force.

I know I can prevent root from logging in, and use sudoers... and change the SSH port, but what more can I do?

So I have a few questions:

  1. How can I prevent logging in for 5 minutes after X amount of incorrect tries. Or slow tries down after each incorrect try?

  2. Is there some kind of central blacklist which a server can connect to? A blacklist that keeps track of IP addresses that are "unsafe" and should never be granted access?

  3. What more can I do to apply safety to my server?

Like I said earlier, I am running Debian 5 with Apache (www-data user problem?), svn, mysql, php, phpmyadmin, hudson. It is on a home network with port forwarding on 80, 443, 8080, 8180, 23 and 22.


Solution 1:

Fail2ban and Port Knocking should address most of your needs.

Changing your SSH port and only allowing Key-based authentication are also recommended.

It can be argued that you may reach a point of diminishing returns in adding additional security measures, but then again, it's up to you to decide when you're "secure enough".

It's also a good idea to disallow root login.

Solution 2:

There is no substitute for secure passwords AND key-authentication. That being said, Fail2Ban is a great tool for banning IPs of users who attempt to authenticate too many times. It's also available as a pre-built package for most distros. Be warned, you can accidentally get yourself banned, so make sure you have a recovery white-listed IP too or easy console access...

Fail2Ban has several good examples of how-to configure everything you asked... it does not however, have a universal repository of bad addresses. I don't think there is such a repository anyplace due to the ease of getting another IP (dhcp renew/bot-net attacks/etc...). I would also disable logging in via ssh using common 'administrator' type usernames (root/admin/administrator/sysop/etc..) as these are the most commonly banged on.