Automatically deny hacking attempts in CentOS?
-
You can limit number of login attempts per minute with
iptables
. Such rules will block IP for one minute after three login attempts (taken from Diary of a geek – Mitigating against SSH brute force attacks using Netfilter and therecent
module):iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
If you want more configurable sikytion, you can use fail2ban or DenyHosts for analyzing SSHd logs and blocking suspicious IP addresses.
the best pratice way is to block all un needed ports with iptables and setup your ssh to use a private key for login. I know that Putty and MobaXterm (both free ssh clients) support private key login. then inside your /etc/ssh/sshd_config remove the
PermitRootLogin yes
and add:
PermitRootLogin without-password
this will make it that even if you know the root password it will not allow you to login with it.
you can use the iptables rules to throttle them so they don't bog down your server as well
Install the software Denyhosts. It will automatically list such hacker IPs to the hosts.deny. The package is available on the epel repository.