# ssh getting attacked

## Cr0t

Someone is attacking my ssh server. What do you use to block/filter those attacks? Programs like DenyHosts exist.

----------

## John R. Graham

I've taken two steps:Installed net-analyzer/fail2ban.

Configured my sshd to disallow password authentication.  I use RSA authentication instead.- John

----------

## Mike Hunt

Another way to go is use an unused, non-standard port for ssh. Check /etc/services.

To do that change the Port settings in /etc/ssh/sshd_config and /etc/ssh/ssh_config,

then restart the ssh server.

Another way is to disable port 22 temporarily after repeated hits from the same source, to do that edit your iptables config like this:

```
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
```

For this you will need to enable <*>   "recent" match support and <*>   "state" match support in your kernel Core Netfilter Configuration under Network packet filtering framework (Netfilter) under Networking options under Networking support in menuconfig

and rebuild the kernel in the usual way.

----------

## Cr0t

 *john_r_graham wrote:*   

> I've taken two steps:Installed net-analyzer/fail2ban.
> 
> Configured my sshd to disallow password authentication.  I use RSA authentication instead.- John

 I saw fail2ban as well. Not sure if it is better than DenyHosts. This one page had a list of all different kind of programs.

----------

## Cr0t

 *Mike Hunt wrote:*   

> Another way to go is use an unused, non-standard port for ssh. Check /etc/services.
> 
> To do that change the Port settings in /etc/ssh/sshd_config and /etc/ssh/ssh_config,
> 
> then restart the ssh server.
> ...

 That's some good stuff. I will put that in place later.

----------

