[CentOS] Ideas for stopping ssh brute force attacks
boisvert.guy at videotron.ca
Tue Jul 22 04:12:16 UTC 2008
Michael Gabriel wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
I don't know if anybody on this list tried SPA (Single Packet
As another person mentioned earlier, the idea of using VPN is very good.
I use pfSense and the VPN server inside gives the connecting user an
address on a virtual subnet. Each user is given a distinct fixed ip
address. Then it's easy to setup firewall rules based on what you allow
the user to do. I do 10 Mbps symmetric with a "recycled" 1U Dell
PowerEdge 350 (PIII/800, 512 Megs RAM). We do QoS (we have 1 WME
Streaming Server, 1 Darwin Streaming On Demand Server, FTP, DNS, SMTP,
etc). The CPU usage is very low. I love pfSense a lot. The only thing
i struggled a little was when i tried to authenticate the user with
Active Directory (M$ IAS = RADIUS). It works but i have yet to find a
way to assign a fixed address to each user. I can do this if i use
pfSense integrated user manager (for VPN).
In another place, i use a CentOS box as a remote gateway using SSH. I
changed the SSH Port, use DenyHost, force SSH V2 and forbid password
login (SSH Key login mandatory). I even got a VBS script for our
Winblows users that uses plink (member of the PuTTY Family) to connect,
authenticate with keys and launch RDP Terminal to connect to the
Winblows Terminal Server (all this automated). The only prompt the user
has is for entering his remote login name (the user must know it or the
connection will be refused).
I did an installer (with Nullsoft's NSIS) so allowed Winblows users can
install easily all this: The installer creates icons, protect SSH keys
(NTFS Encryption), etc... The installer is protected by a password.
Hope this helped!
Guy Boisvert, ing.
More information about the CentOS