[CentOS] One approach to dealing with SSH brute force attacks.

Thu Jan 31 00:59:41 UTC 2008
Jay Leafey <jay.leafey at mindless.com>

> 
> What I would I like to do is:
> 
> - allow 22 from specific IPs
> - allow another port (redirected) from anywhere. this port is then 
> redirected to 22.
> 

I do exactly this with a combination of SSH config options and iptables 
rules.  In your /etc/ssh/sshd_config file, find the "Port 22" statement 
and add a "Port" statement for the desired port, something like:

<snip>
Port 22
Port 20022
Protocol 2
<snip>

Then, in iptables, add the appropriate rules to let incoming connections 
to port 22 from only specific addresses and to allow port 20022 (or 
whatever you pick) to be available worldwide.  Assuming you wanted port 
22 access for a local subnet like 192.169.1.0/24, add the following to 
the /etc/sysconfig/iptables file before the REJECT statement at the end 
of the file:

> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20022 -j ACCEPT

After restarting SSH and reloading iptables you should have just what 
you want.  I use this, in addition to blockhosts 
(http://www.aczoom.com/cms/blockhosts/), on several production systems 
and the result has been almost total elimination of brute-force attacks. 
on those systems.

Another possibility is a variation on port-knocking using PKI 
authentication or a shared secret.  The project is called fwknop 
(http://www.cipherdyne.org/fwknop/) and has the potential to almost 
completely eliminate brute-force attacks.

Essentially, the target port (22 in the case of SSH) is not open at all 
normally, but a daemon monitors the network interface for a specific 
packet signed using either a shared secret or a pre-authorized PGP key. 
  When it sees the packet, it opens up the appropriate port for a 
specified time (usually just a few seconds) to the IP address the packet 
comes from.  This allows a very short time window for the client system 
to complete its connection before the port gets closed down.  I've set 
this up on a couple of systems so far with excellent results.

Your mileage may vary!
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5177 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080130/e1414432/attachment-0005.bin>