[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 04:12:16 UTC 2008
Guy Boisvert <boisvert.guy at videotron.ca>

Michael Gabriel wrote:
> 
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>

I don't know if anybody on this list tried SPA (Single Packet 
Authorization):

http://www.linuxjournal.com/article/9565


As another person mentioned earlier, the idea of using VPN is very good.

I use pfSense and the VPN server inside gives the connecting user an 
address on a virtual subnet.  Each user is given a distinct fixed ip 
address.  Then it's easy to setup firewall rules based on what you allow 
the user to do.  I do 10 Mbps symmetric with a "recycled" 1U Dell 
PowerEdge 350 (PIII/800, 512 Megs RAM).  We do QoS (we have 1 WME 
Streaming Server, 1 Darwin Streaming On Demand Server, FTP, DNS, SMTP, 
etc).  The CPU usage is very low.  I love pfSense a lot.  The only thing 
i struggled a little was when i tried to authenticate the user with 
Active Directory (M$ IAS = RADIUS).  It works but i have yet to find a 
way to assign a fixed address to each user.  I can do this if i use 
pfSense integrated user manager (for VPN).

In another place, i use a CentOS box as a remote gateway using SSH.  I 
changed the SSH Port, use DenyHost, force SSH V2 and forbid password 
login (SSH Key login mandatory).  I even got a VBS script for our 
Winblows users that uses plink (member of the PuTTY Family) to connect, 
authenticate with keys and launch RDP Terminal to connect to the 
Winblows Terminal Server (all this automated).  The only prompt the user 
has is for entering his remote login name (the user must know it or the 
connection will be refused).

I did an installer (with Nullsoft's NSIS) so allowed Winblows users can 
install easily all this: The installer creates icons, protect SSH keys 
(NTFS Encryption), etc... The installer is protected by a password.


Hope this helped!


Guy Boisvert, ing.
IngTegration inc.