[CentOS] Ideas for stopping ssh brute force attacks

Mon Jul 21 22:05:13 UTC 2008
D Steward <dsteward at internode.on.net>

Provided you have ssh set up to ensure that root cannot login directly
and/or keys instead of passwords must be used, you aren't in much danger
of being compromised.

To ensure the logs are mostly kept clean however, you need yet another
solution such as changing the port, port-knocking, or a script such as
fail2ban, denyhosts and blockhosts.

fail2ban is a script which writes blacklisted IPs to iptables then
denies them access to every service including ftp and http, not just
ssh.

Because I don't believe a solution such as fail2ban will scale (it can't
be healthy having tens of thousands of IPs in iptables), I use denyhosts
on my servers and have done so successfully for the past 12 months.
Denyhosts is a script which writes blacklisted IPs to hosts.deny,
preventing them from accessing ssh as well as any other service which
uses tcp wrappers. It has a truly wonderful feature where you can sync
your results with a central server to share IPs for banning. This means
my servers now have about 12000 IPs which are permanently blacklisted.
There are just two disadvantages with denyhosts: with a large number of
entries in hosts.deny, there is a noticeable delay (several seconds in
my case) when logging in with ssh. And you can only deny requests which
use tcp wrappers.

I've never used Blockhosts, but I believe it is similar to fail2ban, in
that it can disallow blacklisted IPs from accessing any service, not
just ssh.

Just one other thing: if you use a script, you need to be careful you
don't accidentally ban your own IP (by entering a wrong password too
many times) when accessing a remote server. :/

Whatever, you decided to use, the more security you have, the more
awkward it will be to access your own server/s.