How to stop/prevent SSH bruteforce
Solution 1:
How to gain access?
It's not clear why you can't access your account.
If your machine is under attack or high load, you should talk to your provider about restricting access (IP Restrictions) or taking the server offline (disconnect from the Internet).
You might also require out of band access which your provider may be able to help with.
If somebody has compromised your server you may need to restore from backups or use a recovery image.
How to prevent attacks on your server, in particular SSH
best way to prevent brute force logons?
Don't let them get to your machine in the first place! There are plenty of ways to stop brute force attempts before they get to your host, or even at the SSH level.
Having said that, protecting your Operating System with something like fail2ban is a great idea. http://en.wikipedia.org/wiki/Fail2ban
Fail2ban is similar to DenyHosts ... but unlike DenyHosts which focuses on SSH, fail2ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, fail2ban can use Netfilter/iptables and TCP Wrappers /etc/hosts.deny.
There are a number of important security techniques you should consider to help prevent brute force logins:
SSH:
- Don't allow root to login
- Don't allow ssh passwords (use private key authentication)
- Don't listen on every interface
- Create a network interface for SSH (e.g eth1), which is different to the interface you serve requests from (e.g eth0)
- Don't use common usernames
- Use an allow list, and only allow users that require SSH Access
- If you require Internet Access...Restrict Access to a finite set of IPs. One static IP is ideal, however locking it down to x.x.0.0/16 is better than 0.0.0.0/0
- If possible find a way to connect without Internet Access, that way you can deny all internet traffic for SSH (e.g with AWS you can get a direct connection that bypasses the Internet, it's called Direct Connect)
- Use software like fail2ban to catch any brute force attacks
- Make sure OS is always up to date, in particular security and ssh packages
Application:
- Make sure your application is always up to date, in particular security packages
- Lock down your application 'admin' pages. Many of the advice above applies to the admin area of your application too.
- Password Protect your admin area, something like htpasswd for web console will project any underlying application vulnerabilities and create an extra barrier to entry
- Lock down file permissions. 'Upload folders' are notorious for being entry points of all sorts of nasty stuff.
- Consider putting your application behind a private network, and only exposing your front-end load balancer and a jumpbox (this is a typical setup in AWS using VPCs)
Solution 2:
how can i surpress this attack and prevent following attacks
Usually i change the default ssh port from 22 to another like 1122. This prevent many automatic attacks from bot, but a simple port scan can detect it. Anyway:
vi /etc/ssh/sshd_config
and edit Port 22 to Port 1122, but this is not enough.
Automatic IPTables rules on bruteforce
i use log2iptables https://github.com/theMiddleBlue/log2iptables instead Fail2ban, because is a simple Bash script that parse any logfile with a regular expression and execute iptables. For example when 5 matches occur, log2iptables drop the specific ip address. It's cool because use Telegram API and can send me a message on my phone when he find a problem :)
hope this will help!
Solution 3:
I've just put this together, run every 15 mins as a cronjob etc:
for z in `grep Invalid /var/log/auth.log | awk '{ print $NF }' | sort | uniq`
do
count1=`grep $z /etc/hosts.deny | wc -l`
count2=`grep Invalid /var/log/auth.log | grep $z | wc -l`
if [ $count1 -eq 0 -a $count2 -gt 10 ] ; then
current=`egrep "^ssh" /etc/hosts.deny | sed 's/sshd[ :,]*//'`
sudo cp /etc/hosts.deny.bak /etc/hosts.deny
sudo chmod 666 /etc/hosts.deny
if [ $current ] ; then
echo "sshd : $current , $z" >> /etc/hosts.deny
else
echo "sshd : $z" >> /etc/hosts.deny
fi
sudo chmod 644 /etc/hosts.deny
fi
done