The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP), so Brute Force Prevention on SSH is essential to prohibit the server from being hacked.
According to the SANS Institute Security Risks Report for 2007, brute-force/dictionary attacks against remote services such as SSH, are one of the Top-20 most common forms of attack on the Internet that compromise servers. In particular, Unix-based and Mac OS X servers that run an SSH service to allow administrators secure remote connections are at risk. The ISO has seen an increased number of systems compromised via brute-Force/dictionary attack. The attacks are continuous and facilitated through the process of improving dictionaries when lax countermeasures are in place. An excessive number of failed log-ins is a sign of brute-force/dictionary attack against your SSH server.
To protect your SSH server from a brute-force/dictionary attack, please follow these seven protective measures:
Disable Root Access
It is a good security practice to disable logins via SSH for the root account. Log in from your non-privileged user account and escalate privilege when and if necessary. SUDO and SU are examples of tools/commands that allow privilege escalation. These provide the added benefit of accountability (i.e. logging) in environments where root access must be shared.
Disable unused services
Disable SSH if it is not in use.
sudo service sshd stop
sudo service sshd disableRun the SSH server on a non-standard, high port
This will mitigate automated attacks scanning for SSH servers on the default port.
To change the default port used by SSH open the following file
sudo vi /etc/ssh/sshd_configand change the port to any port number of your choice (For example 7777)
Filter traffic to your SSH server
Whenever possible, filter traffic to your SSH server (with a network or host based firewall) restricting access to only known IP addresses. Restricting access to the campus VPN subnet or a range of IP addresses is a good start for filtering traffic.
Block all the incoming traffic on ssh configured port
sudo ufw enable
sudo iptables -I INPUT -p tcp --dport 7927 -j DROPNow unblock your internal IP range which can have access to the SSH port
sudo iptables -I INPUT -p tcp --dport 7777 -m iprange --src-range 192.1.0.1-192.1.0.25 -j ACCEPTInstall and maintain anti-brute-force tools
There are a number of filters and tools that administrators can use to block and protect against brute-force/dictionary attacks. A few are:
Pam_abl - Provides a blacklisting of hosts and users responsible for repeated failed authentication attempts. Pam_abl download
SSHBan - Receives data directly from the loggers instead of scanning system logs. SSHBan download
Fail2ban works IP-based and will block the IPs from which too many failed login attempts are made, however other IPs / users on the same network will not be slowed down.
The procedure to setup Fail2Ban on SSH and cloud server like Nextcloud, follow the procedure described in the article below
Enforce strong passwords
Using a strong password will enhance your defense against SSH brute-force/dictionary password attacks. Please refer to Computing Services Password Requirements and Guidelines for Password Management for more information on how to select and manage a strong password.
Limit connection rates
For example, limit the number of SYN packets - This practice will not affect the legitimate user, but will limit incoming attacks from rapid, repeated connection attempts.
Recent Comments