lots of failed SSH login attempts - should I be concerned? [duplicate]
Things you can do:
-
It is possible to set up iptables rules to block ssh attacks, theses rules will allow at most 3 connections per minute from any host, and will block the host for another minute if this rate is exceeded.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
-
Block via syslogs
2.1 sshdfilter: uses iptables for blocking (i.e. it dynamically adds custom firewall rules to block a specific attacker).
2.2 Fail2Ban: is a Python script which adds custom firewall rules to block an attacker.
2.3 DenyHosts : does not use firewall rules to block an attack. Rather, it writes blocking rules to /etc/hosts.deny.
Use Port Knocking (like knockd)
-
The best solution, use RSA AUTHENTICATION:
If you don't use passwords but only RSA keys for authentication, a brute force search for a valid password will obviously be useless.
Note: You can combine somes of theses tips, but simple Rsa auth + port knocking is a rock-solid solution.
You should be concerned and take steps to harden your servers.
Following up on cop1152's answer:
- You could change the port. However if you have clients that regularly use ssh, and expect the default port, this is not an option.
- You could use a package such as fail2ban (http://www.fail2ban.org/) to temporarily ban IPs that make several unsuccessful login attempts in a short amount of time.
- If you know the IPs from which your clients log in, you can use fail2ban to block all IPs except those from known IPs (AKA whitelisting: http://www.fail2ban.org/wiki/index.php/Whitelist).
A great way to stop these attempts is to set up Port knocking.
Some tools to do this are knockd (C), fwknop (C), KnockKnock (Python) and KnockKnockServer (Java), to name a few.
Port knocking kan keep your SSH port closed to the outside until a "secret knock", or Single Packet Authorization is received.
After your server gets the secret knock, the firewall allows new SSH connections for a couple of seconds, allowing you to establish a connection.
It can cause a bit of an inconvenience but you'll no longer have failed login attempts from botnets.
Image credit: cipherdyne.org
Change the port, but also have rule that bans IP's that attempt to login and fail numerous times. Additionally, consider only allowing logging in from certain IP's and do not allow root logins. Make sure the user has to elevate to admin to do anything.
And you can do better than "rather safe passwords" probably. A Google search will show you some fairly easy ways to make your SSH connections more secure.
No offense, but if you are charged with managing these servers, you should know these things already. I havent mentioned any specific packages for download, but they are easy to find.
Running on the default ssh port and on a public IP and probably open to connections from everyone. Yes these things are regular. If you use safe and strong passwords, you might be safe to some extent but again you never know.
A few things to do would be:
- use public key based authentication and if possible disable password based authentication.
- Disable root login.
- change ssh port to some random, if changing it across all the servers, have some mechanism to remember them.
- use some automated blocking of such intruding IPs using fail2ban or other similar packages.
- Deploy a RAS server (OpenVPN) and only allow ssh off this RAS server to those servers. Isn't always doable but does reduce your chances of getting probed.