Preventing brute force attacks against ssh?
What tool or technique do you use to prevent brute force attacks against your ssh port. I noticed in my Security logs, that I have millions of attempts to login as various users through ssh.
This is on a FreeBSD box, but I imagine it would be applicable anywhere.
Here's a good post on that subject by Rainer Wichmann.
It explains pros and cons on theses methods to do it :
- Strong passwords
- RSA authentication
- Using 'iptables' to block the attack
- Using the sshd log to block attacks
- Using tcp_wrappers to block attacks
- Port knocking
I use fail2ban which will lock an IP out after several failed attempts for a configurable amount of time.
Combine this with password strength testing (using john (John the Ripper)) to ensure brute-force attacks will not succeed.
Ons small thing you can do is use something like DenyHosts:
http://denyhosts.sourceforge.net/
It uses the built-in hosts.allow/hosts.deny to block out SSH abusers.
- Change the port used (as Trent mentioned)
- Require encryption keys instead of passwords. http://novosial.org/openssh/publickey-auth/
- Blacklist attacker ips
- Whitelist known users to prevent accidental blacklisting. (as Samiuela mentioned)
One of the easiest ways to avoid these attacks is to change the port that sshd listens on