Using sshdfilter to secure an SSH server

Since moving my OpenSSH server down to its standard port number I have been hit daily by service scanning software and brute force password attacks. Gerry pointed out that sshdfilter can help.

sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.

It’s quick and simple to setup, I enabled email alerts to see what it gets upto and can report it is all working fine on my servers (Red Hat 9 customised).
It will block when triggered by:

  • An attempt to login as a user which doesn’t exist
  • After N failed attempts to login to an existing user account
  • If the incoming connection fails to provide an SSH version banner which is part of the SSH protocol, it’s most likely a port scanner or dumb client
  • The length of time the block remains in place is all configurable.


    Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *