Distroname and release: Debian Squeeze

Securing your SSH server

When a server is running 24/7, the server is quite fast a target for bruteforce attacks. I noticed this when looking in the /var/log/auth.log, so I decided to do something about it. Most of all to clear up the log for these attempts,so I could focus on other things in the log.
A strong password is the best protection for these attacks !

The things listed below, are all good steps to secure it.
Although not all of them are needed, they can be used according to your needs.

Disable the root login

The bruteforce bots, are often trying to use the root user for obvious reasons. So the first thing to do, is to disable the root login. Find the authentication section in the conf file and set PermitRootLogin no.
Remember to add a new user that is allowed to connect to ssh. 
/etc/ssh/sshd_config
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes

Restrict ssh access from other users

It is also a good idea to restrict the other users that are on the server, so they cannot login with ssh, except the user or users of course that is created for this purpose.

The following parameter allows the users listed. bernhard, bianca, example. 
/etc/ssh/sshd_config
AllowUsers bernhard, bianca, example.
Is it also possible to do it like this, but if someone unwanted are able to create a user, then they are allowed to ssh to your server, since it sets a shell as default. So this is not recommended.
So please use the above method!

In the /etc/passwd insert a dummy as the default shell, like false at the end of the line. 
/etc/passwd
username:x:1001:1001:John Doe,,,:/home/username:/bin/false

Change the default ssh port

By changing the default port, the bruteforce attacks are most likely not going to get through to your server.
Find the Port line in the conf file, and change it to another port. Please be sure that this port is not colliding with another service on the server. 
/etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 3333

Block using a script

This should not be needed if the above steps have been taken, but can be used an alternative / another solution. It is possible to use a script to search and block bruteforce ssh attemps. I found this script some time back, and modified it to my needs. 
#!/bin/sh
#Bruteforce ssh block script by Lasse Mork

log="/var/log/auth.log"
export_to="/etc/hosts.deny"
max_attempts="4"
grep sshd /var/log/auth.log |grep "Invalid user" |awk '{print $NF}'|cut -d ' ' -f11| uniq -c |while read a
do
    count=`echo $a |cut -d ' ' -f1`
    ip=`echo $a |cut -d ' ' -f2`
    if [ $count -ge $max_attempts ]
    then
        added=`grep $ip $export_to |cut -d' ' -f2`
            if [ -z $added ]
            then
                echo "ALL: "$ip >> $export_to
            fi
    fi
done

echo "Done"
exit 0

Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!