Improving security on OpenSSH

After just one day that I am leaving my linux server online, I've detected intrusions checking logs (/var/log/auth.log). Here you find how an intrusion attempt looks like:

Aug 31 23:21:25 localhost sshd[4558]: User root not allowed because not listed in AllowUsers
Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:
Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:
Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:
Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:
Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:
Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:
Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:
Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:
Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:
Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:
Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:
Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:
Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:
Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:
Aug 31 23:22:15 localhost sshd[4588]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:
Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:
Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:
Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:
Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:40 localhost sshd[4602]: User root not allowed because not listed in AllowUsers

I've already taken some precautions against this, but today I've checked further on sshd_config manual page to look if I can do more.
It would be really nice if sshd would be able to automatically black-list an IP address that fails for a given number of attempts.
I find it really strange it does not have this feature.

Anyway, in my previous post Security Paranoia I've already mentioned an option called MaxStartups. Man page say:

Specifies the maximum number of concurrent unauthenticated connections
to the sshd daemon.
Additional connections will be dropped until authentication succeeds or 
the LoginGraceTime expires for a connection.  The default is 10.

Alternatively, random early drop can be enabled by specifying the three 
colon separated values ``start:rate:full'' (e.g., "10:30:60").  
sshd will refuse connection attempts with a probability
of ``rate/100'' (30%) if there are currently ``start'' (10) 
unauthenticated connections.  The probability increases linearly and 
all connection attempts are refused if the number of unauthenticated
connections reaches ``full'' (60).

Really explicative.
So I decided for this setting:

MaxStartups 1:100:1

I forgot to say that, after modifying the file /etc/ssh/sshd_config, you have to restart the ssh daemon with: /etc/init.d/ssh restart

Only one connection per time. After one (the first) unauthenticated connection, you have 100% probability to be disconnected, and the maximum unauthenticated connection allowed are 1. In other words: one try per time, and no more. So multithreaded bots, should have some more difficulties next time.

If someone knows how to tell sshd (or the firewall) to ban ip address after -let's say- 3 failed attempt, I would really appreciate.

2 Responses to “Improving security on OpenSSH”  

  1. 1 andb will blacklist IPs with too many failed connection attempts

    or use ‘hashlimit’ in ‘iptables’
    iptables -I INPUT -m hashlimit -m tcp -p tcp –dport 22 –hashlimit 1/min
    –hashlimit-mode srcip –hashlimit-name ssh -m state –state NEW -j ACCEPT

  1. 1 Linux PAM Automatic Blacklisting - NewInstance

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


September 2005
« Aug   Oct »

Follow me

twitter flickr LinkedIn feed

Subscribe by email

Enter your email address:



Tag Cloud