Hi all.
When I was setting up my server while back I have noticed 100’s of entries in my:
/var/log/auth.log
about failed log in attempts from various IP’s with various logins. I wondered what it was until I saw this:
Conclusions? There is at least one (wishful thinking…) bot out there which will scan the entire range of IP’s for opened port 22 and will use some brute-force tool trying to crack it. Now that’s not a very positive conclusion for all the SSH users…
What can be done about this? There are 3 thing You can do.
A) Forbid the root’s log in – that’s a default option in PCLinuxOS.
B) Install fail2ban via synaptic
C) Change the SSH port from 22 to something above the 10100
I use all of them.
Forbidding the root’s log in is a must. Root is the only 100% sure login on every Linux based system. Attacker don’t have to guess it. It’s there for sure. Now all he has to do is to guess the password. Blocking root’s log in will make him to guess Your user login and password. This is more difficult for them and that’s the whole point.
PCLinuxOS uses interesting settings in its config files. If You look at the file:
/etc/ssh/denyusers
You will see that it contains a word root.
This setting is blocking all the attempts of root log in to Your SSH server and yet allows You to use su command for Your convenience. Why? Even if attacker knows root password he will not be able to log in. However user who is logged into the system via SSH can raise its privileges using su command. This is secured and comfortable in the same time. Sometimes root’s privileges are necessary so PCLinuxOS does allows You to gain root and yet You have to log in as user and know the root’s password to gain full control over the machine.
Another method – Fail2ban – (You will find it in our repositories) will add a firewall rule to block all the attempts of connecting to the SSH port for a machine that unsuccessfully tried to log in X amount of times in Y time period. Example – xxx.yyy.zzz.uuu machine tried to log in with logins jack, ann, mark 3 times in 20 minutes period so it got banned for an hour.
You can set X and Y in the fail2ban config file:
/etc/fail2ban/jail.conf
and if You have local e-mail server configured – fail2ban will send You a message with notifications about new events.
Fail2ban will protect not only SSH but also FTP, SFTP, and other protocols that are using authentication. Very cool tool.
Another thing that You can do is to change the port of the SSH server. Here is how its done.
Changing Port For SSH Server Video
Why changing the port and why above 10100? Default port for SSH is 22. All the script kiddies aka skiddies will use that port in their bots. Even if script kiddie is smart and will scan Your IP with port scanner like nmap – by default he will scan first 10000 ports only. Setting up SSH above that will cause the port scanner to find ZIP, ZERO, NADA, BIG BOBKAS. Even if skiddy is smarter then that and he will scan all the 65k ports the open port will be shown as unknown service. He would have to add few more switches to the nmap to find out that its a SSH server. Skiddies are mostly lazy and they are going after the easy prey. Making it just that little bit more difficult can be a blessing for Your security.
So far those three steps are what I have learned about securing SSH server. Maybe in the future if I will learn something new I will add it in a new post.
Remember that even the weakest protection is better then no protection at all.
Regards.
Andy
