0

I've currently 3 servers with SSH service being attacked by brute force. The attack is from multiple sources or one who's changing his IP with each attempt performed.

I need help to stop current attacks and protect/prevent from future ones.

I've already setup fail2ban in one machine after following (quickly) this guide: How to protect SSH with Fail2Ban on Ubuntu 14.04 but I haven't saw any improvements by doing so.

Please, I really need help on this as there are sensitive services running in every machine which can not go down and these attacks are sucking machines' resources.

Thanks in advance, best regards.

P.S.: I know there are several questions/answers on this topic but couldn't find any suitable answer to help me...

  • 1
    Possible duplicate of [Preventing brute force attacks against ssh?](http://serverfault.com/questions/4188/preventing-brute-force-attacks-against-ssh) – Tero Kilkanen Jun 20 '16 at 12:44
  • Is /var/log/fail2ban.log showing any actions? The default configuration should already be banning IPs that fail multiple ssh connections in a short period of time but will get unbanned after 10 minutes so some chatter about failed ssh connections in your auth.log is still fine. If you are using key authentication you can also disable password authentication in sshd completely. This will effectively stop people from bruteforcing the password. – ZaphodB Jun 20 '16 at 17:48

2 Answers2

1

You can change SSH port to a non-standard one, and then drop all packets coming to SSH port 22. This way the attacker's connection attempts all time out, which causes them to use more time for each attempt.

If you are using some automatic scripts to connect to your server via SSH, then you need to reconfigure those.

SSH port is configured under /etc/ssh/sshd_config.

However, if attackers port scan your server, they will find out the new port.

If you don't access the server from everywhere, then you allow only IP addresses where you use this server, and drop packets from all other IP addresses.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thanks for your answer. I had thought in blocking all IPs except mine, but mine is not fix. What you suggest, using a VPN maybe? – João Cerqueira Jun 20 '16 at 12:53
  • I do not like this solution as it is basically security by obscurity. It will cut down on the chatter but people scanning all ports for ssh daemons will still find it. – ZaphodB Jun 20 '16 at 17:50
0

Visit my website and check this tutorial. No, I will not paste my tutorial here, because it is a total nonsense. In the tutorial I explain how to block over 260 thousands bad IP addresses.

Sysadmin - Administration, security and hardening of Linux - Using blocklist with iptables and firewalld

Additionally this tutorial: fail2ban – installation and configuration

One more is worth which explains how to use Cloudflare and how to generate RSA keys for SSH. I totally disabled password login in sshd_config

SSH RSA

Sysadmin
  • 152
  • 5