6. Filter SSH at the Firewall
If you only
need remote access from one IP address (say from work to your home
server), then consider filtering connections at your firewall by either
adding a firewall rule on your router or in iptables to limit access on
port 22 to only that specific IP address. For example, in iptables this
could be achieved with the following type of rule:
iptables -A INPUT -p tcp -s 72.232.194.162 --dport 22 -j ACCEPT
SSH
also natively supports TCP wrappers and access to the ssh service may
be similarly controlled using hosts.allow and hosts.deny.
If
you are unable to limit source IP addresses, and must open the ssh port
globally, then iptables can still help prevent brute-force attacks by
logging and blocking repeated attempts to login from the same IP
address. For example,
iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
The first rule records the IP address of each attempt to access port 22 using the recent
module. The second rule checks to see if that IP address has attempted
to connect 4 or more times within the last 60 seconds, and if not then
the packet is accepted. Note this rule would require a default policy of
DROP on the input chain.
Here's another example, this time using iptables limit module to limit the the number of connections to the ssh port to 3 per minute:
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT iptables -A INPUT -p tcp --dport 22 --syn -j DROP
The
first line will accept new connections on port 22 provided that IP
address hasn't made more than 3 connection attempts in the last minute.
If more than 3 connection attempts have been made within the last
minute, then the second line will DROP the connection.
Don't
forget to change the port as appropriate if you are running ssh on a
non-standard port. Where possible, filtering at the firewall is an
extremely effective method of securing access to an ssh server.
http://wiki.centos.org/HowTos/Network/SecuringSSH
and this is from cybercity...
#16: Thwart SSH Crackers (Brute Force Attack)
Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:- DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
- Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
- Fail2ban is a similar program that prevents brute force attacks against SSH.
- security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
- security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
- security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
- security/sshblock block abusive SSH login attempts.
- security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
- BlockHosts Automatic blocking of abusive IP hosts.
- Blacklist Get rid of those bruteforce attempts.
- Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
- IPQ BDB filter May be considered as a fail2ban lite.
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
