0

I am having a lot of failed ssh authentication requests for the past two days, from various service providers. It seems somebody is intent on breaking into my computer.

I am using Ubuntu on a Dell laptop, I need to have sshd running for work purposes, so shutting it off is not an option.

I blocked all the ips off for the moment, and crippled the attack. What is the best response to such a situation?

Pratyush Rathore
  • 103
  • 3
  • I believe you are using public IP right? – arif Jun 20 '17 at 05:06
  • No. I don't have a permanent IP address. The address changes randomly when I change my network. (I hope, I am getting your question correctly) This is puzzling. How do people figure out my local ip-address to ssh? – Pratyush Rathore Jun 20 '17 at 05:17
  • Sorry, I was wrong. I just googled the public ip address thing. You are right. My public IP address is the same as the IP address of my router. Why is it important? – Pratyush Rathore Jun 20 '17 at 05:18
  • 1
    Possible duplicate of [Am I experiencing a brute force attack?](https://security.stackexchange.com/questions/110706/am-i-experiencing-a-brute-force-attack) and [How to respond to a SSH brute force attack on a single VPS?](https://security.stackexchange.com/questions/146899/how-to-respond-to-a-ssh-brute-force-attack-on-a-single-vps). – Steffen Ullrich Jun 20 '17 at 05:20
  • You can access public IP address from any PC like google.com. But private IP's aren't accessible from any place because that IP is translated through a router(NAT). You can't ping my ip from your computer because there is no route to this computer from yours. Usually, webserver's IP address's are public IP address, so that anybody can reach to it. – arif Jun 20 '17 at 05:26
  • Okay, I understand it now. I forward the packets on ssh port to my laptop from my router. So, I guess, that makes my laptop one with public ip. – Pratyush Rathore Jun 20 '17 at 05:31

1 Answers1

1

It's very common among public servers or a host. I'm going to assume that your host is a server which is using Public IP i.e can be accessible from anywhere. Here is some precaution:

  1. Change default port: The ideal idea for this kind of situation is to move default port (22) into higher port. You can do that by changing the configuration file located at '/etc/ssh/sshd_config' as following,

    $ vi /etc/ssh/ssh

    And make the following change,

    # Port 22
Port 23415

  2. Define specific IP: You always can define specific IP of the host from which you usually ssh to your laptop and drop all other requests with IPTABLES with the following commands [here I am assuming you are using port 23415 in place of 22],

    Drop IP's trying to connect in port 22

    sudo iptables -A INPUT -p tcp --dport 22 -j DROP

    Whitelisting IP's: You can add multiple IP.

    sudo iptables -A INPUT -p tcp -s YOUR.IP.HERE --dport 23415 -j ACCEPT
sudo iptables -A INPUT -p tcp -s YOUR.Another.IP.HERE --dport 23415 -j ACCEPT

    Drop Other IP's request:

    sudo iptables -A INPUT -p tcp --dport 23415 -j DROP

    Save new rules:

    sudo iptables-save

  3. Using SSH securing app: There are plenty of SSH securing app available like Fail2ban, Denyhost, Sshguard etc.

arif
  • 1,088
  • 13
  • 24