DOS attacks on your ssh server

If you’re running a linux box, you’re probably running an ssh server on it. Highly secure, if you’ve configured it right, but there are a few things you can do to increase security even further. There’s a kind of attack called a Denial of Service (DOS) that basically just hammers the machine on a specified port repeatedly with requests (well formed or otherwise) in the hope that a buffer overflow or a brute force password attack will allow for a break-in.

This is where you need to configure your firewall, so that it bans a given IP from reaching the ssh server at all, if there are more than 3 (failed) connection attempts within a minute. The commands below are for the iptables firewall… very commonly found on most linux distros, but you will have to look for other means if your firewall is different.

1
2
$ sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
$ sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This does not necessarily secure you from a Distributed Denial of Service (DDOS) attack, and in no way does it ensure that your machine is completely hack-proof. (Is that even possible?) But it will (mostly) keep those pesky script kiddies at bay.

For more information on ssh and general system security, the following links are informative sources to start with:

  1. http://www.rackaid.com/resources/how-to-add-protective-measures-against-ssh-attacks/
  2. http://www.rackaid.com/resources/how-to-harden-or-secure-ssh-for-improved-security/
  3. http://fedoranews.org/contributors/sonny_nguyen/pam/