Tutorial How to Prevent SSH attack

Discussion in 'Linux' started by shek, Jul 15, 2013.

  1. shek

    shek Active Member

    Did you ever wondered, how many sites are hosted on linux? No? Then let me make you aware, that more than 70% of websites you see on internet are hosted on linux! Even google.com is hosted on Linux. You must be wondering, why am I talking about linux? The reason is simple, only sites hosted on linux can be attacked using ssh (secure shell) attack. In SSH attack, most common type of attack is SSH brute force attack. In this type of attack hacker/attackers tries to break your ssh password using all possible combinations (read about brute force from wikipedia for more detail on brute force). When you see SSH login logs, you will notice there are numerous failed login attempts.

    SSH attack involves scanning ip ranges for default SSH port, 22, and trying to login to a machine which has open or insecure port, using predetermined list of commonly used usernames and passwords. If hacker can crack into ssh, then he can elevate himself to root! So, it is really important to prevent SSH attack. In this tutorial, I'll share most common and effective measures you need to take to prevent this type of attack.
    • Disable SSH: Some Linux distro's by default has sshd enabled by default. You have disable them, whenever it is not required.
    • Run SSH on Different Port: By default ssh is access though port 22. So, you need to change default listening port to some other port. To edit default port, go to /etc/ssh/sshd_config and edit line which has "Port 22".
    • Single & Secure point of entry for SSH: Many webmasters open multiple firewall ports to access SSH. I would say please stop doing it. Create single point entry, which is secure, and whenever you need to access SSH. The service should be internal, that is, service which can access SSH shouldn't be exposed directly to internet.
    • Upgrade SSH version: Use v2 of SSH protocol. Again you have to edit /etc/ssh/sshd_config file. Look for "Protocol 1", change it to "Protocol 2".
    • Restrict Root Logins: You should make sure that through ssh protocol user can't elevate himself to root. In short, disallow root logins via SSH. If you need to perform something which require root permission, use 'su' command.
    • Customize user names: Never use default usernames or easily guessable usernames for login names into SSH.
    • Create Strong Password: You have to make sure, you create strong password for a user. If you don't understand know, how to create strong password then look Creating strong password tutorial series.
    • Block Brute Force Attack: Ban an IP if there are too many unsuccessful login attempts through that IP. You can use Fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) tool to block such ips.
    • Update server kernel: If you are using dedicated server as host, then please keep your kernel up to date. It will have many security fixes related ssh and other protocols.
    I hope you will implement the points, I mentioned in this tutorial, to keep hackers away. Please take backup of sshd_config file before editing it. If you edit something which shouldn't be edited then your website will be down, until you fix it!
  2. angie828

    angie828 Contributing Member

    Thanks for this post. Seems easy enough to do.
  3. postcd

    postcd Junior Member

    im preventing this by changing SSH port in /etc/ssh/sshd_config and then restarting ssh service..
    the second thing i do is to setup fail2ban software to monitor /var/log/secure and ban IPs that many times trying to get into server using SSH
    From that time i have no issue with SSH attacks i think.

Share This Page