SSH server is protected. Setting up SSH for hosting a mass bruteforce

In this short note, I chose at once the ways to improve the security of the ssh server. The descriptions of the most heady and the simplest of the vikonann’s priyomi, and the folds are less indicated for readers to squawk.

Main benefits

The settings are set in the daemon's sshd configuration file - /etc/ssh/sshd_config. Below I will direct a part of the configuration file with comments.

### Network ### # Vicgorize non-standard port (>1024) port 5679 # Vicgorize only IPv4 data # inet = IPv4, inet6 = IPv6, any = both AddressFamily inet # Can only accept a private IP address #ListenAddress 0.0. 0.0 # Vykoristovuem to another protocol version, because. # turn on redirecting graphics (X-server) until you clearly need it X11Forwarding no # turn on Disable TCPKeepAlive and beat ClientAliveInterval to replace this # to prevent attacks like TCP Spoofing TCPKeep (through 600 sec) inactivity ClientAliveInterval 600 ClientAliveCountMax 3 ### Key configuration files ### # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Wicker traffic # sandbox - openSSH >= 5.9 ("yes "- for younger versions) UsePrivilegeSeparation sandbox # If you change this value, it will remove the old key # /etc/ssh/ssh_host_rsa_key(,.pub), and create a new # by restarting sshd. # # The hour of life is the key, tobto. in some hour, a new key will be generated # at the top, as a front key. KeyRegenerationInterval 1h # ServerKeyBits key strength 2048 # Authorization is allowed by public key PubkeyAuthentication yes # Recovering trusted keys from the server directory AuthorizedKeysFile .ssh/authorized_keys ### Logging ### ### Authentication Allowers ### hour for entering password for ssh-key LoginGraceTime 30s # it is forbidden to log in remotely with a root record PermitRootLogin no # Enable explicit rechecking of file permissions in that directory How many times to retry the password in case of incorrect input in principle # (Challenge-response public/private key challenge) PasswordAuthentication no # Enable "challenge-respon." . Won marne with different keys ChallengeResponseAuthentication no # If we don't win password, then we don't need (PAM, login(1)) UsePAM no UseLogin no # Allow the client to send only the last set of changes # RH BZ#CVE-2014-252 # ShellShock exploit AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_

These are the parameters that are set in the sshd configuration file. After changing the fix, you need to restart the sshd service.

Comments

• If you choose to authorize with a key, the key is required forward generate on the client machine and copy the public key to the server. Butt:

• The /var/log/auth.log file will have log entries sshd. If this file is available, you will need to fix the logging system. butt for syslog and syslon-ng . I'm tweaking syslog-ng, and I needed to add new rows to the /etc/syslog-ng/syslog-ng.conf file:

and restart the syslog-ng service.

• When using a non-standard port, you may need to tweak your firewall (iptables, firewalld, etc).
  Butt setup for iptables:

What is not enough

Tse less basic adjustment. Dodatkovo can be configured

• firewall (iptables)

In this article, we can see the basic method of zakhistu SSH vіd massive bruteforce attacks. Under a mass bruteforce attack in this case, it may not be possible to direct the password to your SSH itself, but to a wide range of servers, for a remote manifestation of the login-password, which is not stable before the choice of the bet.

The main features of the SSH mass bruteforce attack are a wide range of IP scans on port 22 and the variation of the password name and password, which are often used (for example, root:passwd123, admin:server123, etc.).

To view statistics from log files of recent SSH authorization attempts on your server, enter the command:

Cat /var/log/secure* | grep "Failed password" | grep sshd awk "(print $1, $2)" | sort-k 1,1M-k 2n | uniq -c

This screenshot contains statistics on the number of recent authorizations by day. If you enter similar data for yourself, then you will have to log in to secure your SSH as a mass bruteforce.

1. Yakscho Wee don't win for authorization, the names of the root, which are often hacked, such as root, admin, administrator, user, etc. and win a folding password for authorization, you can immediately go to another point. To change the password for more folding, enter the command:

Passwd #your_login#

de #your_login#- Your name is Koristuvacha.
When you enter a new password, the password is not displayed, the cursor will be on one place.

Let's go to the server via SSH, create a new account and set the password for it, for which we enter the command:

adduser #newuser# passwd #newuser#

de #newuser#- Your new im'ya koristuvach, don't vikoristovyte like im'ya koristuvach often live, disgraceful option your_nickadmin(for example, foxadmin, useralex, rootidler).

2. Next, log in via SSH with a new login and password. І inspect the configuration of the SSH daemon (sshd_config) with the command:

Vi /etc/ssh/sshd_config

If you are guilty of something like this instead:

Rows that start from # є commented out.

shob protect SSH from bulk bruteforce, comment and change or add the next parameters file:
a) port- port to yacomu SSHD accepts that service charge. Comment out (visible in front of the ear of the row # ) and change the standard value 22 on the other hand, from 1024 to 65536, reserved ports - a list of reserved ports, for example:

Port 2022

Shchob vidaliti # change the meaning port 22, press the back of the hand on the keyboard i, after editing the required row, press the key ESC

b) LoginGraceTime- hour of scoring for the registration of a correspondent in the system. If the koristuvach did not succeed in entering the system by stretching the time entered by the given directive, the session is shaved off. We change the value:

LoginGraceTime 1m

c) PermitRootLogin- allow koristuvachevі root login via SSH protocol. Change to no.

PermitRootLogin no

d) AllowUsers- allow for login via SSH protocol. Here you can replace #your_login# with a new creation by my koristuvach.

AllowUsers #your_login#

e) MaxAuthTries- number of attempts to enter the system in one session. When reaching the maximum number of samples allowed, the session is shaved off.

MaxAuth Tries 2

At the result we take:

Port 2022 LoginGraceTime 1m PermitRootLogin no AllowUsers #your_login# MaxAuthTries 2

At tsіy statti mi zakіnchimo nalashtuvannya SSH for zahistu vіd mass brutal force. After editing , pressing on the keyboard : , at the bottom there is a row and distance entered in the new wq and press the key Enter. In case of any loss, change will be saved.

Yakscho Vishchos was robbed in a wrong way (for example, they inadvertently saw it), for leaving without savings vikoristovyte instead of a combination of keys wq, keys q!

After SSH setup is completed, restart the daemon with the command:

service sshd restart

Now, when connecting via SSH protocol, vindicate a new port 2022 (because that kind of Vee was ordered in nalashtuvannyah) deputy standard port 22.

At the next step, I have installed SSH, I want to tell you, with whom we can log in with a password and it is possible to log in only with the help of a private SSH key, we ourselves will be as safe as possible for ourselves in the selection of a password.

In contact with

To protect our server in search of passwords, you can use the sshguard or sshit utilities.

The principles of robotics.

sshguard and sshit follow the same principle. Analyze system notifications about incorrect authentication and, in times of reach, enter the attacking ip into the blocking firewall rule. After the last hour, the IP rules are visible.
It is necessary for the robot to install a firewall.

SSHGuard

sshguard

• AIX native firewall- for IBM AIX operating systems
• netfilter/iptables- for Linux-based operating systems
• Packet Filter (PF)- for BSD operating systems (Open, Free, Net, DragonFly-BSD)
• IPFirewall (IPFW)- for FreeBSD and Mac OS X
• IP Filter (IPFILTER)- for FreeBSD, NetBSD and Solaris
• tcpd"s hosts_access (/etc/hosts.allow)- portable across UNIX
• null- portable do-nothing backend for applying detection but not prevention

I put the vicorist PF to that at the zamіttsі put on the PF.

Installing sshguard.

FreeBSD:

Installable from ports

Cd /usr/ports/security/sshguard-pf/&& make install clean

For some reason you don't cheat, grab the rest of the version from the sshguard site and collect it manually

./configure --with-firewall=pf && make && make install

Debian:

OS setup for sshguard robots.

We create a file to save logs

# touch /var/log/sshguard

Debian (wheezy):

Editable in //etc/default/sshguard offensive row

#mcedit /etc/default/sshguard #ARGS="-a 40 -p 420 -s 1200" ARGS="-a 5 -p 420 -s 2400 -b 5:/etc/sshguard/blacklist"

then restart sshguard
service sshguard restart

FreeBSD:

We need to add two rows to the PF configuration

table persist

open the table where sshguard should enter robot ip.

Block in quick on $if0 proto tcp from

The same blocking rule should be added to the top of the rule block in the PF configuration file. $if0 interface on which connection to block, to block on all interfaces change to any.
Re-read the configuration file

auth.info;authpriv.info |exec/usr/local/sbin/sshguard

and restart syslog

#/etc/rc.d/syslogd restart

Well, after these manipulations of sshguard, blocking the attack with the parameters behind the lock.
When attacked in /var/log/auth.log we are more or less the same

Jun1611:01:40 www sshd:Invalid user test from61.172.251.183Jun1612:29:48 www sshd:Invalid user test from85.114.130.168Jun1612:29:49 www sshd:In5 user1 www sshd:Invalid user test from85.114.130. 168Jun1612:29:50 www sshd:Invalid user test from85.114.130.168Jun1612:29:50 www sshguard:Blocking85.114.130.16

Adjusting parameters in sshguard

sshguard has a number of parameters that we can change
-a number of recent attempts to authenticate after some IP will be blocked. Typically 4.
-p after a few seconds, the IP will be unlocked. Typically 420.
-s How many seconds sshguard remembers IP. For locking 1200. If there was one attack of 30 hvilin, then you can’t get into a ban with a default attack.
-w bіlі IP, merge, or ways to the file bіlih address. The file format is one row - one record, # indicating comments.
-b blocking ip through links will be added to the black list and the way to the new one. The black list is taken up at the start of sshguard and is not automatically cleared.

sshguard does not have a configuration file. The parameters are set when sshguard starts. In our sshguard mode, syslog is started and syslog.conf is edited so that sshguard blocks ip after 3 recent attempts to autotify for 30 minutes, and after 5 blocking, add it to the black list.

Auth.info;authpriv.info |exec/usr/local/sbin/sshguard -a 3-p 1500-b 5:/usr/local/etc/sshguard.blacklist

first blocked for 420 seconds and reappeared after 7 minutes
suddenly at 2 * 420 you can see through 14 whilins
the third time by 2 * 2 * 420 and is seen after 28 whilins and so on.
2^(N-1)*420 Nth time.

Sshit

Sshit - perl script is required for the perl system, as well as 2 modules

• IPC::Shareable
• Proc::PID::File

Sshit vmіє pratsyuvati less pf and ipfw.

Installing sshit

Nalashtuvannya sshit.

Sshit has a configuration file /usr/local/etc/sshit.conf where you can override the value for the lock.

FIREWALL_TYPE = "pf"; # What kind of firewall wins MAX_COUNT = 3; # Number of recent attempts to authenticate, after which ip is blocked WITHIN_TIME =60; # The number of recent authentications set by the number of seconds allowed to be opened RESET_IP =300; # In a few seconds ip will be unlocked. PFCTL_CMD = "/sbin/pfctl"; PF_TABLE ="badhosts"#my table where bad ip is entered

Nalashtuvannya OS for robotic shit.

By analogy with configuring sshguard, edit the PF configuration file

table persist block in quick on $if0 proto tcp from to $if0 port ssh label "ssh brute"

reread the configuration file

#pfctl -f /etc/pf.conf

Edit syslog.conf

auth.info;authpriv.info |exec/usr/local/sbin/sshit

and restart syslog

Secure Shell can be found here. Since its release in 1995, SSH has become wide-ranging as an advanced remote access protocol for Linux.

Prote, as it seems, the strength is great - the strength is great. Incorrectly configured SSH daemon can be more of a threat, less help. In these articles, we can see five little ways to improve the security of SSH.

1. Enable root login.

The simplest crock. Obviously, there are few reasons to allow root login via SSH. Including such access is easy to achieve and not to allow security.

We know /etc/ssh/sshd_config (it is possible to change the wine in a different directory, if not in the distribution). For the new one, the PermitRootLogin field is meaningfully replaced by "no":

PermitRootLogin no

Obviously, it’s impossible to force anyone to break into the system under a prominent coristuvach, proteza zayvoi pereshkodoy on the way to override the system all the same to serve.

Having read everything written and put it into practice, as a result we take away the keys for authorization on the server. Having changed everything, you can make an interactive introduction:

PasswordAuthentication no
ChallengeResponseAuthentication no

With the help of a Python-script administrator, you can automatically add hosts to the blacklist when you log in inadvertently, banying them for a long time. The easiest way to install:

Europa ~ # emerge -pv denyhosts
These are the packages that would be merged, in order:
Calculating dependencies... done!
app-admin/denyhosts-2.5 0 kB
Total size of downloads: 0 kB
europa ~ # emerge denyhosts

The documentation for the program is not too rich (for example, for example), all configuration options are normally described in the configuration file.

Europa $nano -w /etc/denyhosts.conf

I don't think the DenyHosts configuration caused any particular problems - please read the config carefully.

After the configuration, you can run the program with the chi daemon through the scheduler. With Gentoo daemon:

rc-update add denyhosts default

Through cron, let's say skin 10 minutes:

Python /usr/bin/denyhosts -c /etc/denyhosts.conf

All the joy of DenyHost is not only in blocking hosts, they try to get through to your SSH server, but also to the one that can synchronize your "black list" with DenyHost servers. In this way, a collective list of hosts is created to avenge the attackers. I will win over the attack in the very root.

4. Change the port number.

More tests for malicious code in automatic scripts that scan for the presence of SSH daemons. At the most important number of vipadkivs, the stinks try to break into 22 ports, which only play into our hands. By changing the port, we automatically see more samples of unauthorized access.

Change the confizi varto.

SSH- the same protocol, which is designed to ensure the security of that encrypted transmission of data from the merezh. Vіn widely vykoristovuєtsya kolі linux administrators for supervision by the remote server. The server connecting to the Internet is also often attacked by the SSH service in order to take away access to the server. The widest range of the password of the correspondent with the rights of the administrator. These instructions have a look at the basic recommendations for safety SSH connection.

Set a folding password

Your server can be attacked from the side of evil-doers, as they try to guess the password to the server SSH, to reduce the risk to the evil one - it is recommended to set passwords to the server's cloud records, which will match the current parameters:

• At least 8 characters
• Victory upper and lower case characters (AaBb)
• Vykorist letters - numbers and signs ( [email protected])

A strong password cannot only be protected by evil SSH protocol, ale th zagalom pokraschit zahist server.

Vykorist SSH keys

The addendum of your server will be the key to connect to the server SSH, you need to generate the key on the computer/server for any connection:

Yak create SSH key on Windows OS:

To create a key at linux type command:

ssh-keygen -t rsa

To install your key on the server, to which you will connect, type the command:

ssh-copy-id-p 22 [email protected]

• -p 22- server port yakim works SSH protocol (may be changed, more details below)
• admin- Login to your server
• 192.168.1.1 - IP addresses of your server

If everything was done correctly, now you can connect to the server by key, with which you will not have to enter the password.

Vicgorize a non-standard port

Standard SSH the service is running on the listening server 22 Port To connect/transfer data, cym can be sent by malicious hackers, robbing those who do not change the standard port for connecting to the server. To that we change the port, by the same time we once again changed the risk to the evil of our server.

For which view the configuration file SSH on the server:

sudo nano /etc/ssh/sshd_config

We know a new row of comments like this:

# Port 22

Visible symbol # - to clean up the comment option and change it 22 come on, the numbers are starting to 11060 and for the growth, for the butt we will beat 11 060 , now the row can look like this:

Port 11060

Save configuration " ctrl+O and exit the editor ctrl+X".

It is necessary to revantagize SSH service - so that new adjustments were made, we got the command:

sudo service sshd restart

In this order, we remembered the port for connection, at this hour - to connect to the server, it is necessary to specify a non-standard port option -p 11060 , for example:

ssh-p 11060 [email protected]

Deny access to less than a part of coristuvachіv

SSH The connection can be limited for up to 4 cloud records, for example, as there are three cloud records on the server: admin , sergey , Alex- You can allow a remote connection only for some of them. For which one open the configuration file SSH:

For this file, go down with arrows to the rest of the row and add a new one with such a change:

AllowUsers admin alex

Save configuration " ctrl+O and exit the editor ctrl+X".

Rezavantage the service SSH:

sudo service sshd restart

Tsim V himself allowed remote access for koristuvachs adminі Alex, at that hour yak koristuvach sergey it is not possible to connect far away.

Notice SSH protocol 2

beyond the standard SSH working in version 1 mode, this version is outdated and may be silent inconsistencies, but for better security, it is recommended to switch the robot to version 2 mode. For which view, open the configuration file SSH:

sudo nano /etc/ssh/ssh_config

Find a row:

#Protocol 2

Remove symbol # - in order to remove the comment option and fill in the row, you need to go like this:

Protocol 2

Save configuration " ctrl+O and exit the editor ctrl+X".

Rezavantage the service SSH:

sudo service sshd restart

Wipe empty passwords

For zamovchuvannyam SSH the fence service connects to coristuvachas without passwords, or if you have this option disabled on your server, then open the configuration file SSH:

sudo nano /etc/ssh/ssh_config

Find a row PermitEmptyPasswords and change your mind, what is the meaning of "no".

PermitEmptyPasswords no

Highlight report journal

Schob service SSH kept a log of recent connections from the assigned IP address, open the configuration file SSH:

sudo nano /etc/ssh/ssh_config

Find a row LogLevel and deputy INFO say VERBOSE, the row is guilty of vide like this:

LogLevel VERBOSE

Save file " ctrl+O"and see the editor" ctrl+X".

Rezavantage the service SSH:

sudo service sshd restart

You can check if you enter the command:

cat /var/log/secure

The system provided us with information, something like this:

Jun 21 13:06:28 centos sshd: Failed password for root from 118.212.143.47 port 48263 ssh2

Tobto for this record mi bachimo, scho bula nevdala try to penetrate the server from the assigned address.

Dyakuёmo for respect, on tsimu everything.