How to stop/prevent SSH bruteforce

Question

I'm very new to network administration, so please regard that I'm not that experienced yet.

I have a Ubuntu root server with plesk panel.

Yesterday my friends and I noticed that the quality of speech on our TS3 got very bad. I sent some pings to the server and there was a very high packet loss. After that i googled a bit and found out that there is a auth.log. I downloaded it and scrolled a bit around, then I found this:

May 13 10:01:27 rs204941 sshd[9351]: input_userauth_request: invalid user student [preauth]
May 13 10:01:27 rs204941 sshd[9351]: pam_unix(sshd:auth): check pass; user unknown
May 13 10:01:27 rs204941 sshd[9351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.220.198.102 
May 13 10:01:29 rs204941 sshd[9351]: Failed password for invalid user student from 112.220.198.102 port 39806 ssh2
May 13 10:01:29 rs204941 sshd[9351]: Received disconnect from 112.220.198.102: 11: Bye Bye [preauth]
May 13 10:01:31 rs204941 sshd[9353]: Invalid user student from 112.220.198.102

It seems like someone tried to log in over SSH many times. I scrolled a bit around, and saw, that this someone tries to use many different usernames: student, tech, psi, news,...

Hundreds of these logins were displayed in the file.

I looked up the traffic statistics at the website of my datacenter. It was only at 17MB per hour. I have a 100Mbit Backbone, so the data transfer itself seems not to be the problem.

At the moment i cannot get acces to the server in any way.

My Question is: how can i get acces again, how can i surpress this attack and prevent following attacks?

Answer 1

How to gain access?

It's not clear why you can't access your account.

If your machine is under attack or high load, you should talk to your provider about restricting access (IP Restrictions) or taking the server offline (disconnect from the Internet).

You might also require out of band access which your provider may be able to help with.

If somebody has compromised your server you may need to restore from backups or use a recovery image.

How to prevent attacks on your server, in particular SSH

best way to prevent brute force logons?

Don't let them get to your machine in the first place! There are plenty of ways to stop brute force attempts before they get to your host, or even at the SSH level.

Having said that, protecting your Operating System with something like fail2ban is a great idea. http://en.wikipedia.org/wiki/Fail2ban

Fail2ban is similar to DenyHosts ... but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny.

There are a number of important security techniques you should consider to help prevent brute force logins:

SSH:

• Don't allow root to login
• Don't allow ssh passwords (use private key authentication)
• Don't listen on every interface
• Create a network interface for SSH (e.g eth1), which is different to the interface you serve requests from (e.g eth0)
• Don't use common usernames
• Use an allow list, and only allow users that require SSH Access
• If you require Internet Access...Restrict Access to a finite set of IPs. One static IP is ideal, however locking it down to x.x.0.0/16 is better than 0.0.0.0/0
• If possible find a way to connect without Internet Access, that way you can deny all internet traffic for SSH (e.g with AWS you can get a direct connection that bypasses the Internet, it's called Direct Connect)
• Use software like fail2ban to catch any brute force attacks
• Make sure OS is always up to date, in particular security and ssh packages

Application:

• Make sure your application is always up to date, in particular security packages
• Lock down your application 'admin' pages. Many of the advice above applies to the admin area of your application too.
• Password Protect your admin area, something like htpasswd for web console will project any underlying application vulnerabilities and create an extra barrier to entry
• Lock down file permissions. 'Upload folders' are notorious for being entry points of all sorts of nasty stuff.
• Consider putting your application behind a private network, and only exposing your front-end load balancer and a jumpbox (this is a typical setup in AWS using VPCs)

Answer 2

how can i surpress this attack and prevent following attacks

Usually i change the default ssh port from 22 to another like 1122. This prevent many automatic attacks from bot, but a simple port scan can detect it. Anyway:

vi /etc/ssh/sshd_config

and edit Port 22 to Port 1122, but this is not enough.

Automatic IPTables rules on bruteforce

i use log2iptables https://github.com/theMiddleBlue/log2iptables instead Fail2ban, because is a simple Bash script that parse any logfile with a regular expression and execute iptables. For example when 5 matches occur, log2iptables drop the specific ip address. It's cool because use Telegram API and can send me a message on my phone when he find a problem :)

hope this will help!

Answer 3

I've just put this together, run every 15 mins as a cronjob etc:

for z in `grep Invalid /var/log/auth.log | awk '{ print $NF }' | sort | uniq`
do
  count1=`grep $z /etc/hosts.deny | wc -l`
  count2=`grep Invalid /var/log/auth.log | grep $z | wc -l`
  if [ $count1 -eq 0 -a $count2 -gt 10 ] ; then
    current=`egrep "^ssh" /etc/hosts.deny | sed 's/sshd[ :,]*//'`
    sudo cp /etc/hosts.deny.bak /etc/hosts.deny
    sudo chmod 666 /etc/hosts.deny
    if [ $current ] ; then
      echo "sshd : $current , $z" >> /etc/hosts.deny
    else
      echo "sshd : $z" >> /etc/hosts.deny
    fi
    sudo chmod 644 /etc/hosts.deny
  fi
done

Answer 4

Automated Solution for Centos/RHEL to Block Bad Actors

Here's a script for Centos to check ssh failed logins for both invalid user accounts and bad passwords for valid accounts. If the source IP has hit us more than 3 times and is not already on the deny list, it gets added to the deny list. I run this every 15 minutes from root's crontab. I've also disallowed root logins via ssh, so the combination keeps things fairly quiet.

     #/bin/bash
     # Save a copy of the existing hosts.deny file for safety
     cp /etc/hosts.deny /etc/hosts.deny.bak
     # Get a list of the offending IP addresses and process them
     for z in `grep "Invalid\|Failed" /var/log/secure | awk '{ print $NF }' | sort | uniq`
     do
     # Get the number of times this IP hit us
     hits=`grep "Invalid\|Failed" /var/log/secure* | grep $z | wc -l`
     # Check whether this IP is already blocked
     blocked=`grep $z /etc/hosts.deny | wc -l`
     # If they hit us more than 3 times and are not already on the deny list
     # add them to the deny list
     if [ $hits -gt 3 -a $blocked -eq 0 ]
     then
          echo "sshd : $z" >> /etc/hosts.deny
     fi
     done

Answer 5

This is my alternative solution for SSH attacks. The idea is keep closing SSH daemon if not use. No open port no attack. You can try it. It is open source https://github.com/indy99/nnet_port_guard