Using sshdfilter to Secure an SSH Server
Since moving my OpenSSH server down to its standard port number I have been hit daily by service scanning software and brute force password attacks. Gerry pointed out that sshdfilter can help.
How sshdfilter Works
sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.
Setup and Experience
It's quick and simple to setup, I enabled email alerts to see what it gets upto and can report it is all working fine on my servers (Red Hat 9 customised).
Attack Detection Triggers
It will block when triggered by:
- An attempt to login as a user which doesn't exist
- After N failed attempts to login to an existing user account
- If the incoming connection fails to provide an SSH version banner which is part of the SSH protocol, it's most likely a port scanner or dumb client
Configuration
The length of time the block remains in place is all configurable.
Related Posts
What Not to Do When You've Installed sshdfilter
A cautionary tale about sshdfilter blocking localhost (127.0.0.1) and breaking core system services due to lack of trusted address exceptions
Patch to mod_evasive to Enhance Reporting Capabilities
Enhance Apache's mod_evasive security module with detailed environment variable reporting similar to mod_security for better attack analysis
Fixing the Heartbleed vulnerability on CentOS
Quick and easy fix for the Heartbleed OpenSSL vulnerability on CentOS systems using yum update and service restart commands.