Force attacks against SSH

A category for tips and tricks or off-topic things
Post Reply
jeanmarc
Posts: 1866
Joined: Thu Aug 29, 2013 7:16 am

Force attacks against SSH

Post by jeanmarc » Thu Nov 14, 2019 8:23 am

Hi,
Lately i've been amazed how much attacks i encounter against my SSH port.I've been look at various solution to calm those annoyings intruders :evil:

I come up with few goods things that you might also do to protect further your logger :
- SSH keys
- Sshguard or Fail2ban
- Port knocking

First, i explain how i setup a simple while powerful protection with SSH keys. The aim is to allow only recognized computers to access your logger.

You'll need to create SSH keys pair on your client : one will be public, the other one private which must be stored securely. The private key have a passphrase.

On a Linux system, it's simple to do so with ssh-keygen -b 4096
On a Windows system, read that guide about PuTTYgen.

Then, you must copy your public key on your logger. On linux you can do so with ssh-copy-id username@remote-logger.org.
On Windows, you should log in and edit vi ~/.ssh/authorized_keys. Paste the public key into the authorized_keys file.

Once you do that, you can systemctl restart sshd and test if all is ok with the new ssh authentication :
From Linux : just log as usual
From Windows : In PuTTY, put your keys into Connection > SSH > Auth. In WinSCP Advanded > SSH > Authentication.

Edit /etc/ssh/sshd_config and set PasswordAuthentication no and then again systemctl restart sshd.

:!: Beware, if you mess up you won't be able to remote access your logger, only a local access will be possible.
This would make your logger bullet proof to brute-force attacks :thumbup:

I'll explain Sshguard next.

jeanmarc
Posts: 1866
Joined: Thu Aug 29, 2013 7:16 am

Re: Force attacks against SSH

Post by jeanmarc » Thu Nov 14, 2019 10:06 am

Now for SSHGuard , it's another protection that will blocks repeating offenders during a limited amount of time. The default amount of time the offender is banned starts at 120 seconds and increases at each bad request. It can be also be configured to permanently ban.

Install sshguard (in arch pacman -S sshguard)
Then use iptables, see the status systemctl status iptables, if it is not ruuning systemctl enable iptables and systemctl start iptables.
Create a chain : iptables -N sshguard, this rule must be added before any other
Block whatever SSHGuard says be bad : iptables -A INPUT -j sshguard
Save the rule : iptables-save > /etc/iptables/iptables.rules

Restart systemctl restart iptables, and start SSHGuard systemctl enable sshguard, systemctl start sshguard.
You may see offenders : systemctl status sshguard and permanently banned are in /var/db/sshguard/blacklist.db

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest