2

I'm getting regular attempts to brute force ssh on a x86 solaris 11.1 server. On linux I use DenyHosts to block connections after a number of incorrect login attempts. Is there a similar package for Solaris 11.1 or any recommendations on other alternative ways to prevent brute force of ssh?

dannix
  • 97
  • 1
  • 1
  • 10

3 Answers3

2

Any recommendations on other alternative ways to prevent brute force of ssh?

Change the port SSH runs on. Brute force attempts are largely done against port 22. 

$ sudo grep ^Port /etc/ssh/sshd_config 
Port 10022

Limit the users that are allowed to connect, for example:

$ sudo grep ^AllowUsers /etc/ssh/sshd_config 
AllowUsers dannix
AllowUsers gene@192.168.3.*
AllowUsers bill@172.16.0.100

Disable root login:

$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config 
PermitRootLogin no

Use public key authentication rather than passwords.

Disable password based authentication (only do this if you use public key authentication):

$ sudo grep ^PasswordAuthentication /etc/ssh/sshd_config 
PasswordAuthentication no

Additionally, you can use firewall rules to restrict what remote hosts can access SSH on your system.

Gene
  • 3,633
  • 19
  • 39
1

The solution suggested by Gene requires that you know who's going to connect from where. If that fits your need then you should go with that. It is simple. No matter what you should always disable root logins in your SSH daemon. (on Solaris 11 onwards logging into box from outside as root wouldn't be possible anyway (because root has become a role, not a user), so putting that restriction into SSH daemon's config doesn't really change anything - but still I recommend it).

If you are already familiar with DenyHosts why not also use it on Solaris?

Anyway, another solution (for Solaris) is detailed here. It stops brute force attacks by maintaining a "blacklist" in the background. If the same IP sends X number of connect attempts within Y number of seconds then it is put on a blacklist and the IP is not allowed further attempts. Typically you would want a curfew of say 1 hour after which such blacklisting for a particular IP is removed. The nice thing about the solution in the link is that doesn't require any additional software. It's really just a script that gets executed for every SSH connect attempt and on Solaris 11 it is very non-intrusive as you don't have to change any system setup, install additional packages or anything like that.

peterh
  • 257
  • 2
  • 6
  • this is solaris 11.1, with a root user.... I did look at DenyHosts but the Solaris comment is a bit vague on versions. Just, yes it's reported to work on solaris. Though that link looks interesting too. While I've changed port etc wouldn't hurt to add another layer so much appreciated – dannix Oct 18 '14 at 17:05
0

In this case you can play with MaxStartups and LoginGraceTime in SunOS sshd_config. But best to block those attempts even before reaching sshd with Solaris ipf.

Here you can find pretty often updated list of IPs to block: OpenBL I see attempts very rarely in logs, just using this blacklist.

Then you can assemble cron job script to update FW rules or optionally there's hosts.deny formatted file available.

nudzo
  • 648
  • 1
  • 6
  • 8