Yet another ssh brute force attack and how to protect against it with iptables and sshguard

ssh brute force attack

By chance, i looked into syslog ( /var/log/syslog ) and saw a ssh attempt to login from a ip outside local network. It was a brute force attack that started 7 days ago.. See down the post how to protect ssh from further attacks.

Looking at the logs ( tail -n 200000 /var/log/syslog ) noticed that the attack started on:

Sep 15 21:01:37 cerval sshd[13101]: Failed password for root from port 42023 ssh2

then the attack went on …

I checked the logs and saw the attack. stopped ssh. no more fun for you :(

I decided finally, after 6 years of laziness to build up some security.

Getting started with iptables

The guys at netfilter created, omnipresent on most of Linux machines, a packet filtering system called iptables.

The iptables Rules

For creating a bash script to create all the rules need, i used this online iptables wizard. (don’t forget to remove “LINWIZ-” from the script created)

Running iptables

Next run the script sh, save it /etc/init.d/iptables save, and then start, stop and start iptables again ( /etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start )

and check if the rules are active with iptables -L -v

To get a better understanding check Stateful Firewall and Masquerading on Linux

Protecting ssh

Luckly gentoo portage has sshguard, which has lots of nice features!
Unmasked it to use a decent version (portage has 1.0 as stable, 1.4 as latest, but sshguard is v1.5rc4, which is the last RC planned before 1.5 stable. )

and then, emerge -av sshguard.
Its FAQ has the script to use for booting but the “-l” option wasn’t working on this version, so i used this instead

#! /bin/sh
case $1 in
    tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard &
    killall sshguard
    echo "Use start or stop"
    exit 1

Add to the rc levels to ensure it starts at every boot:

rc-update add sshguard default

If you are using syslog-ng with sshguard

On Gentoo, just add  this to /etc/syslog-ng/syslog-ng.conf:

#create a new destination for sshguard
destination sshguardproc {
        template("$DATE $FULLHOST $MESSAGE\n"));
#creates a filter called f_sshlogs for auth and authpriv system logs
filter f_sshlogs { facility(auth, authpriv) and match("sshd"); }; # for sshguard

log { source(src); filter(f_sshlogs); destination(sshguardproc); };

Restart sshd

Start ssh again! /etc/init.d/sshd start


2 thoughts on “Yet another ssh brute force attack and how to protect against it with iptables and sshguard

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s