We at Spamhaus come across compromised (web)servers frequently, which turned out to be hijacked by spammers or other cybercriminals to host spammer sites, malware distribution sites or even botnet controllers. Many of these compromised servers have been hacked using SSH brute forcing.
With the SSH bruteforcing method, an attacker tries to guess (brute force) the password by using the "try and error" principle. If the victim system is using a weak password the chance is high than an attack can result in a positive match, after which the attacker is able to get (root) access to the system.
Fortunately there are several technical measures that can help to mitigate SSH bruteforce attempts.
Change the port SSHd is listening on
One of the most effective ways to prevent your system getting hacked by brute forcing the SSH password, is simply changing the port where the SSH daemon (SSHd) is listening on to a non-standard port. SSHd usually listens on 22 TCP, which makes it attractive for attackers. You should change it to something else like port 2233 or 2244. You can do this by changing the configuration file of SSHd which usually resides in /etc/ssh/sshd_config
. Please consider that there are two files: sshd_config and ssh_config. Make sure that you edit sshd_config. In the config file, somewhere at the top you will find an option called Port
which should have the value 22
. All you need to do is change this option to a different port (eg. 2233) and restart the SSH daemon using the command sudo /etc/init.d/ssh restart
. SSHd should now listen on the port you have just specified in the configuration. Be sure to open the new SSH port on your firewall, and then you can close port 22 since you aren't using it anymore.
If you use Red Hat SELinux, read the fine manual to learn more about binding functions like SSH to non-standard ports.
Fail2Ban
Fail2ban is a open source tool that looks for failed SSH login attempts in the SSH logs and bans the attacking IP address for a specific time period using iptables or nullroute. The installation and configuration of Fail2Ban is pretty simple. If you are using Ubuntu or Debian you can simply install the Fail2Ban packet from the repository by using apt-get:
sudo apt-get install fail2ban
The configuration file of Fail2Ban is usually located in /etc/fail2ban/jail.conf
. There are various options you can configure, for example the email address where notifications should be sent to or the default ban action (usually iptables-multiport which means that the attacking IP address will be blocked on all ports using iptables). Per default, Fail2Ban monitors the SSH log located at /var/log/auth.log
for failed login attempts. If Fail2Ban is configured correctly, you should see something like this in your Fail2Ban configuration file:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
With the option enabled
you can define if the rule/filter is active or not (true or false). The option filter
defines which filter configuration this rule will use. The filter configuration files are located in /etc/fail2ban/filter.d/
. Basically what this rule/filter does is monitoring the SSH log auth.log
and bans the attacking IP address after 6 failed login attempts for 600 seconds (see option bantime
) using iptables (see option banaction
).
If you want to monitor the activities of Fail2Ban you might wan to check out the logfile that is being produced by Fail2Ban: it is usually located in /var/log/fail2ban.log
If you are interested in Fail2Ban you can find more information on the Fail2Ban project website:
http://www.fail2ban.org/wiki/index.php/README
DenyHosts
Another tool to prevent that attackers gain access to your server using brute forced SSH credentials is running DenyHosts on your server. DenyHosts is open source project that maintains a database of IP addresses that are know to be a source of SSH attacks. The tool works similar as fail2ban by monitoring the sshd log for failed login attempts. Once an SSH attack has been detected, DenyHosts will block the offending IP address by adding it to /etc/hosts.deny. If you are running Ubuntu or Debian you can simply install DenyHosts using the following command:
sudo apt-get install denyhosts
This command will install denyhosts on your linux/unix server. Usually, the configuration for DenyHosts comes out of the box, but if you want to check the configuration you can find the config file in /etc/denyhosts.conf
. Ensure that the path to the SSH log (SECURE_LOG
) is set correctly and that DenyHosts blocks login attempts from the offending host for sshd (BLOCK_SERVICE
).
More information about DenyHosts can be found here:
http://www.denyhosts.net/