Tuesday, May 22, 2007

How to help prevent SSH attacks...

Im not a huge Linux Expert but i have enough knowledge to run and secure a server.

I was given some instructions on what to do to prevent this from happening so im going to share them here to help others secure their SSH and reduce the possibility of one of these bots (or humans) accessing your server via root.

Install Brute Force Detection (BFD)

This nifty tool will basically detect and help prevent people and bots trying to access your server by entering a list of random passwords - it will ban and block the IP’s that attempt to brute force your server.

To install BFD you must first install the APF firewall - instructions on doing so can be found over at webhostgear dot com

Once you have installed APF you may install BFD:

Step 1: Login to your server as "root"

Step 2: Download the latest release of BFD
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Step 3:
Un-Tar the archive
tar -xvzf bfd-current.tar.gz
Step 4:
Move to the newly created BFD directory
cd bfd-0.X
Step 5:
Run the installation utility, once installed it will give you a completion message.
./install.sh
Step 6:
Edit the config file
nano /usr/local/bfd/conf.bfd
Change This:
ALERT_USR="0"
To This:
ALERT_USR="1"
and This:
EMAIL_USR="root"
To This:
EMAIL_USR="you@yourdomain.com"
Step 7:
Now to prevent getting locked out, its best that you edit the ignore list, this is a list of IP’s that wont be affected by the BFD system.
nano /usr/local/bfd/ignore.hosts
Add your IP to the list, e.g:
123.12.123.1
Step 8:
You can now start BFD by running the following command as root:
/usr/local/sbin/bfd -s
The install of BFD is now complete. Time for the next item on the security list…

Moving SSH To A New Port

As silly as this may sound, moving SSH is actually one of the better methods of helping to stop unauthorized access. Moving the port will give the impression that the server is either non-functional or does not have SSH setup.

If you have APF installed, make sure to add the new port to the list of open ports before applying the below modifications - failure to do so could leave you locked out of your system.

Step 1: Pick yourself a port number (higher 4 digit numbers are usually better as they are less likely to already be in use). E.g. 8470

Step 2:Here we will open up the SSH config file, at the top of the file is the current port number (22), you can just change this to the new one:
nano /etc/ssh/sshd_config
Step 3:
Restart the SSH server
/etc/rc.d/init.d/sshd restart
Step 4:
Login with the new port number!
If using putty the port number defaults to 22 however you can change this when entering the server IP.

Step 5: If everything is working, you can now edit your APF config and close off port 22 as its no longer needed!

No comments: