# SSH Attack by different hosts

## CorCornelisse

Hi All,

I've a problem, my logs are swamped by messages indicating a brute force or dictionary based attack on my SSH server. The problem is, every attempt appears to be coming from a different address, and all addresses show IRC ports open (used NMAP to scan). So I think someone is using a botnet to attack my box. Anyway, how would you deal with a situation like this? It's too intensive for me to blok every ip using IPtables (which is what I usually do when attacked from one single source).

Hope anyone can shed some light on this case, since this brute force attack is swamping my logs, and making my SSH machine teribly slow (it's a via epia c3 500mhz)

Any help is appreciated.

```

Nov 15 14:49:54 localhost sshd[8916]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.147.111.99  user=root

Nov 15 14:49:55 localhost sshd[8916]: error: PAM: Authentication failure for root from 201.147.111.99

Nov 15 14:52:23 localhost sshd[8919]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bces-1730.de  user=root

Nov 15 14:52:26 localhost sshd[8919]: error: PAM: Authentication failure for root from bces-1730.de

Nov 15 14:55:15 localhost sshd[8922]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.172.166.2  user=root

Nov 15 14:55:18 localhost sshd[8922]: error: PAM: Authentication failure for root from 200.172.166.2

Nov 15 14:57:47 localhost sshd[8925]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=babels-elite.de  user=root

Nov 15 14:57:48 localhost sshd[8925]: error: PAM: Authentication failure for root from babels-elite.de

Nov 15 15:03:29 localhost sshd[8930]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=argon108.server4you.de  user=root

Nov 15 15:03:30 localhost sshd[8930]: error: PAM: Authentication failure for root from argon108.server4you.de

```

----------

## di1bert

Block SSH access to the world using iptables would be the best answer. If you need access from the

world, only allow from certain IPs.

You could also consider installing DenyHosts

which would help.

HTH

-m

----------

## KD-120RD

how about port knocking?

http://en.wikipedia.org/wiki/Port_knocking

----------

## CorCornelisse

I love the port knocking solution, I'll see if I can get that up and running, never heard of it before thanks!!!

Blocking access isn't possible since this machine is the very gateway to my network and I want to be able to access it from anywhere.

Thanks for the quick respons !!!

----------

## quade

Another suggestion is to deny users who fail a certain number of login attempts within 60 seconds using this iptables rule:

```
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP

```

(where $IPTABLES is the full path to your binary, usually /sbin/iptables)

This configuration looks for any IP address where someone makes 10 failed SSH login attempts within a minute's time. 

This way, you can fail your login attempt a couple of times, wait a minute, then try again (useful for those days after changing your password).

Also, FWIW, I'd recommend that you not allow root to connect via SSH; instead, connect as a user, then sudo or su - to get root access.

----------

## CorCornelisse

That's already the case  :Wink: , he won't get anywhere by attempting to login as root. So I've nothing to fear, but it lags my connection to the box severly that's the reason I'm looking for a solution. Those IPTABLE rules might come in handy, with a different timing though.. I'll try, tnx !!!

----------

## ianw1974

I don't know if it's possible for you, but maybe you could just tunnel into the system using IPSEC VPN and then SSH after this once you have a VPN connection.

This is what I do, so that I save people trying to hack my system over SSH.  Means I don't have to open the port, and I can connect from anywhere, if I'm using an IPSEC client or have access to create an IPSEC connection from another firewall.

----------

## Cyker

Yeah, the most you can do without excessive zots is to set up rules to:

+ Ban connection attempts on Port 22 that don't have SSH headers ("Did not receive identification string from")

+ Ban if more than 3 authentication failures happen within in 30s ("Failed password for")

+ Ban anything with common usernames that shouldn't be logging in anyway ("root" "cron" "daemon" "mail" etc.)

I currently use SEC to do this.

If it's getting to be too big a PITA, then another thing you can do, *in addition* to all the above stuff, is change the connecting port from 22 to something else - 80 and 21 are good ones because scans will try to connect as HTTP/FTP and will get themselves insta-banned, but you need to be careful you don't accidentally do that because then you will be banned with no come-back until you can get home and remove the offending IP.

Even if you can't/won't spoof the port to a common service, changing it to something else entirely like 220 or 12345 or something will still cut down on the attempts on your system noticably.

It really sucks that these bastards are using fraggin' botnets now just to break into random peoples systems. Things like this almost make me miss the days when the main way of connecting was via modem, and the only people that had fast connections were the ones that actually knew enough about computers to be able to detect and fix such problems!

But I guess we all know it's not going to get any better as the 'net gets more and more commercialized...

----------

## pteppic

 *quade wrote:*   

> Another suggestion is to deny users who fail a certain number of login attempts within 60 seconds using this iptables rule:
> 
> ```
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
> 
> ...

 That is a really nice example, elegant, requires no administration and gets the job done without extra packages or config.

----------

## quade

Thanks.  :Smile: 

That's taken from my iptables config to solve the exact same problem -- my logs were getting so full from all these bot attacks I could never debug anything else I was working on.

----------

## Akkara

I've recently changed /etc/ssh/sshd_config to use RSA authentication, only.  Works great, and also solves a worry of accidentally leaving possibly ill-secured test accounts around.  And using ssh-agent I only need to type in the passphrase once per session which makes it more convenient.

----------

## Carnildo

 *CorCornelisse wrote:*   

> Hi All,
> 
> I've a problem, my logs are swamped by messages indicating a brute force or dictionary based attack on my SSH server. The problem is, every attempt appears to be coming from a different address, and all addresses show IRC ports open (used NMAP to scan). So I think someone is using a botnet to attack my box. Anyway, how would you deal with a situation like this? It's too intensive for me to blok every ip using IPtables (which is what I usually do when attacked from one single source).

 

They're not targeting you specifically.  They're just looking for insecure hosts -- anyone with SSH on port 22 is seeing this.  I use the Denyhosts distributed blacklist -- the idea is that if one person sees a computer trying a brute-force attack, they report it, and everyone else's computer adds it to sshd's list of disallowed hosts.  It can even work with these distributed attacks.

 *Quote:*   

> Hope anyone can shed some light on this case, since this brute force attack is swamping my logs, and making my SSH machine teribly slow (it's a via epia c3 500mhz)

 

You should probably look into what's being slow here.  My Pentium 233 isn't running any slower than normal.

----------

## Speen

have you tried fail2ban?

it's in portage!

----------

## vaguy02

fail2ban only works with multiple attempts from the same host, not what we are talking about here.

Robert

----------

