Attack on SSH
Hello, i'm receiving a lot of Attack on sshd Port and a lot of email from CSF of blocking ip, every 5 min from Yesterday. Any suggest for this? Thanks
-
You could change the root port 0 -
I dont have the standard Port configured 0 -
Honestly, changing the port is not going to help a lot anymore. We ran on a non-standard part for years and hardly saw any attacks. In the past 3 -4 months, we've see a ton of attacks. If you don't need SSH open to the world, simply set firewall rules that open in for the IP ranges that need it. That's going to be quite hard if you offer SSH/SFTP to clients, but it's the only reliable way. If not, simply make sure you have strong passwords (or keys) and live with the email alerts. 0 -
Thanks guys 0 -
move the port number again. it will take them a while to figure it out, by which time they'll get fed up and move on :-) 0 -
change the port number again or displace the port number again. 0 -
disable password auth, use certificate auth only. 0 -
Use ConfigServer Security & Firewall (csf) Also goto Cphulk brute force protection and disable all the countries except your country ! 0 -
@Nabello Are you seeing the same IP blocked over and over or are these different IPs? If the same IP (or small range) is attacking repeatedly, you can set longer timeouts for blocks in CSF/cPHulk. In cPHulk, we use one day block rules after 20 attempts and have it block the IP via IPtables. If you are seeing a wide range of IPs, using country-based blocking can help if they are mostly from certain countries and you do not have customers in those regions. I don't recommend blocking all traffic from certain countries, just SSH or similar ports used to access the server. Some attacks use large distributed IP ranges. As a result, connection based filters rarely help. If these attacks cause DoS issues in SSH, you can raise the MaxStartups configuration setting. This will allow SSHd to run more processes. During some attacks, we've set this as high as 100 to avoid DoS issues. You can also set MaxAuthTries. This value limits the number of authentication attempts per connection. I use a value of 3. The default is 6. I don't set this below 3 as some SSH clients may offer certs or other auth mechanisms before attempting password authentication. By reducing MaxAuthTries, the attack has to make 2x as many SSH connections to try the same number of passwords. This is a minor deterrent but we've had some success with this and using rate-limiting rules in iptables. 0 -
@Nabbello Please let us know if you continue to experience issues with this or have any concerns after the suggestions provided here. 0
Please sign in to leave a comment.
Comments
10 comments