[SoCoSA/discuss] blocking brute force attacks

Andrew argonaut at gmx.co.uk
Thu Nov 29 10:23:07 PST 2007 

Sean wrote on Wed, 28 Nov 2007 23:44:14 -0800:

> I'm new to this group, and I'm hoping to meet other members at
> the next meeting.

The meeting next Tuesday should be interesting. Someone from
DriveSavers will be speaking. See you there.


> My public IP servers periodically get attacked via brute force
> login attempts (FTP and SSH). I've attempted to solve this in
> the past using hosts.deny, but it ended up causing too many
> unwanted positives and was somewhat difficult to unblock an
> IP.

Ah, yes. The script kiddies. Not a serious threat if you've got
good passwords, but annoying nonetheless.

I don't run an FTP server, so I can't help you too much there,
but here are some tips for SSH:

The quickest and easiest thing to do is to "hide" your SSH
server by changing the port that is exposed to the outside
world. I assume your machine(s) are behind a router that does
port forwarding. If the router's port forwarding feature allows
you to forward an external port to a *different* internal port,
then simply change the external port for the SSH service to a
number between 1024 and 65535 (choose something that's easy to
remember). Set that port to map to port 22 on your internal
machine and you're done.

But if your router's port forwarding doesn't give you that much
control -- if it will only allow you to forward an external port
to *the same* internal port -- then you'll need to reconfigure
your ssh daemon to run on a non-standard port. Edit (as root)
your /etc/ssh/sshd_config file and find the line that says
Port 22
Change that port number to something non-standard, then save the
file and restart your ssh daemon by typing this command (as
root):
/etc/init.d/ssh restart
Finally, modify the port forwarding in your router to reflect the
new port.

When you ssh in from the outside, you'll need to specify the new
port on the command line with the -p option like this:
ssh -p 54321 username at example.net

Having your servers (or at least the router) listen on
non-standard ports will thwart almost all script kiddies. But if
you want more protection for your SSH server, have a look at
DenyHosts ( http://denyhosts.sourceforge.net/ ). In a nutshell,
it automates what you've been doing with hosts.deny. It scans
your logfiles looking for suspicious SSH activity and if it finds
anything, it will add the offending IP to your hosts.deny file.
It will even purge stale hosts.deny entries automatically. It's
packaged in Debian ( http://packages.debian.org/etch/denyhosts )
so you can install it easily.

Hope this helps.

A.

More information about the discuss mailing list