Stopping an ssh brute force Attack

SSH is probably one of the greatest protocols ever created. It allows you to securely run commands, or transfer files to a remote machine transfer.

Since SSH can grant access to a machine’s resources, It’s one of the running services that hackers can target. One of the most common methods for attacking the ssh service is through what’s called a brute force attack.

1. Brute Force Attack

During a brute force attack, a hacker tries to guess the password for a certain user account.

$ ssh root@example.com
root@example.com's password:
Permission denied, please try again.
root@example.com's password:
Permission denied, please try again.
root@example.com's password:
Permission denied, please try again.
root@example.com's password:
Permission denied, please try again.

Doing that by hand will probably take an eternity, so the hacker uses a tool which automatically tries a lot of username and password combinations until it can find the correct password. Usually you can tell if a Linux server has been under attack by looking at the file at /var/log/auth.log

$ sudo tail /var/log/auth.log
...Failed password for root from 103.243.147.160 port 35330 ssh2
...Failed password for root from 42.119.111.155 port 59106 ssh2

as you can see in the output, there have been multiple attempts to connect using the user root from different sources.

you can also use the tool lastb which shows a list of all bad login attempts. We will use grep to filter out only ssh related login attempts.

$ sudo lastb | tail -3 | grep ssh
root        ssh:notty   43.131.30.179 ...
root        ssh:notty   182.74.230.10 ...
stephen     ssh:notty   182.74.230.10 ...

as you can see the hackers are blindly trying to guess the correct password for the root account and stephen account.

2. Disabling root login

One of the most important defense strategies against this attack is to disable ssh access for the root account. You can create another account with another name that’s not easy to guess and block access for root account which is known by everyone. This will add another layer of protection since the hacker will have to guess both the account’s name and the password.

To do that you have to add the following line to the file /etc/ssh/sshd_config

PermitRootLogin no

3. Disabling Password login

Warning: before attempting this step you have to configure key based authentication for your user account. Failing to do so, will cause you to be locked out of the server.

You can disable password login all together which will make ssh work with keys only. You can achieve this by adding the following lines to the file /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

4. Block the hacker’s IP address

if you want to keep the password authentication but you want to stop the attack. you can use iptables to block the malicious IP addresses.

Let’s assume that the hacker’s ip is 142.93.219.133. We can completely block it from our server by issuing the following command

$ sudo iptables -I INPUT -s 142.93.219.133 -j DROP

After some time, you can check if the rule is actually blocking requests from the hacker’s IP.

$ sudo iptables -L INPUT  -nv | head
Chain INPUT (policy ACCEPT 818K packets, 38M bytes)
 pkts bytes target   prot opt in   out   source           destination
  108  6480 DROP     all  --  *    *     142.93.219.133   0.0.0.0/0

As you can see, the rule blocked 108 requests from the hacker.