DOS attacks on your ssh server

If you’re running a linux box, you’re probably running an ssh server on it. Highly secure, if you’ve configured it right, but there are a few things you can do to increase security even further. There’s a kind of attack called a Denial of Service (DOS) that basically just hammers the machine on a specified port repeatedly with requests (well formed or otherwise) in the hope that a buffer overflow or a brute force password attack will allow for a break-in.

This is where you need to configure your firewall, so that it bans a given IP from reaching the ssh server at all, if there are more than 3 (failed) connection attempts within a minute. The commands below are for the iptables firewall… very commonly found on most linux distros, but you will have to  look for other means if your firewall is different.

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This does not necessarily secure you from a Distributed Denial of Service (DDOS) attack, and in no way does it ensure that your machine is completely hack-proof. (Is that even possible?) But it will (mostly) keep those pesky script kiddies at bay ;).

For more information on ssh and general system security, the following links are informative sources to start with:

http://www.rackaid.com/resources/how-to-add-protective-measures-against-ssh-attacks/

http://www.rackaid.com/resources/how-to-harden-or-secure-ssh-for-improved-security/

http://fedoranews.org/contributors/sonny_nguyen/pam/

Advertisements

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: