Minggu, 09 November 2014

How to block SSH brute force in Linux/Unix

I have a server who become crackers target to brute-force the SSH service. But, last time I checked, too many brute-force activities when I look into auth.log file.


So, I decide to block that's brute-force activities with this simple step:

  1. Modify /etc/ssh/sshd_config
    This step is to ensure you will not receive SSH root account connected to your service.

    With root, open /etc/ssh/sshd_config file and find PermitRootLogin. Make sure your PermitRootLogin option is no, such as this:
    PermitRootLogin no
  2. Add simple iptables entries
    The last step is add simple iptables entries to prevent brute-force activities.
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force " -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
     (Taken from: rudd-o.com)

Jumat, 31 Januari 2014

Kamis, 16 Januari 2014

Selasa, 14 Januari 2014