Brute force ssh login attacks has slowed down my servers. I have already blocked ssh of foreign ips except mine internal network (iptables -A INPUT -p tcp --dport 22 -j DROP) but load has gone upto 20. what should i do.
Asked
Active
Viewed 855 times
-2
-
Please edit your question and post a selection of your sshd log. – EEAA Aug 14 '16 at 16:17
-
This has been discussed here http://security.stackexchange.com/questions/110706/am-i-experiencing-a-brute-force-attack – user2320464 Aug 14 '16 at 17:03
-
the output of `top` would likely be helpful. I find it hard to believe that ssh brute force is pushing load to 20... Otherwise post the full output `iptables -L` . Your rules may be in the wrong order. – Daniel Widrick Aug 19 '16 at 02:46
2 Answers
2
You have not demonstrated that an attack on sshd is causing the problem. If you have correctly blocked port 22 then this should not be happening.
However, if (as it appears) you do not need to connect via ssh from the wider internet, you can simply stop sshd from listening on the external address. Edit sshd_config and change the Listen directive
ListenAddress <internal ip address>
then restart sshd.
If your load remains high then your problem lies elsewhere.
user9517
- 114,104
- 20
- 206
- 289
1
Your question is very short on details, which will make any answer involve some guessing. I have however in the past seen similar symptoms and was able to resolve them.
What I did to resolve the problems on servers that I administrate was to disable password authentication entirely with this line in /etc/ssh/sshd_config:
PasswordAuthentication no
Before making this change you of course have to ensure that legitimate logins are already using public key authentication, otherwise that line would lock out some legitimate users. There are several different reasons why public key authentication is more secure than password authentication, and if configured correctly it will also me more convenient to the users.
Once password authentication was disabled the amount of resources spend on attackers trying to guess passwords dropped dramatically. I still saw loads of connection attempts, but never any significant resource consumption.
Another line I find useful to have in /etc/ssh/sshd_config is this:
UseDNS no
Disabling DNS lookups in sshd prevents connections from stalling whenever there is a DNS problem on the recursor used by server or authoritative servers holding information about the client. It also gets rid of the POSSIBLE BREAK-IN ATTEMPT messages in the logfiles, which are more confusing than helpful since they are produced by a heuristic that does not accurately identify actual break in attempts.
kasperd
- 29,894
- 16
- 72
- 122