Wow, I never know that strace can be used as a poor man’s ssh keylogger – Poor Man’s SSH Keylogger
This is the quickest way to limit the number of connection to your SSH server with iptables.
sudo /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 5 -j REJECT
This will only allow up to 5 concurrent connections to the SSH server, subsequent connections will be rejected by iptables, thus this can thwarts Brute-force attempts to your server.
More Articles About Securing SSH Server
Fail2ban is a security tool used for preventing brute-force attack and Distributed Denial of Service (DDoS) attack to your GNU/Linux box.
Fail2ban monitors failed login attempts and subsequently blocks the ip address from further logins. Although Fail2ban can also be used to secure other services in Ubuntu server, in this post, I will only focus on securing SSH server.
Step 1: Install Fail2ban and (optionally) sendmail
sudo apt-get install fail2ban sudo apt-get install sendmail-bin
Step 2: Setting up Fail2ban
Next, you need to configure fail2ban by creating a copy of ‘jail.conf’ to ‘jail.local’
cd /etc/fail2ban sudo cp jail.conf jail.local
Step 3: General fail2ban configuration
Edit fail2ban configuration file using your favorite text-edito (I personally use ‘nano’)
sudo nano /etc/jail.local
You can set IP address for fail2ban to ignore, IP addresses can be separated by space.
Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds
Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 3600 maxretry = 3
Step 4: Enabling ssh and ssh-ddos protection
Find ssh configuration under [ssh] heading, and enable it.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Similarly, you can also enable [ssh-dos] protection by changing the enabled value to “enabled = true”
[ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2
Step 5: Enable Sending Notification Email (optional)
Optionally you can have fail2ban sends you notification email in case of suspicious login detected. To do that, you need to locate destemail settings and changed it to your email
destemail = firstname.lastname@example.org
Fail2ban can use ‘sendmail’ and ‘mail’ application to send notification email
Step 6: (Re-)start Fail2ban
After all is done, you may save the file, and (re)start the fail2ban service
sudo /etc/init.d/fail2ban restart
You can test the configuration by trying to login into your box. You may also check fail2ban log in /var/logs/auth.log (or in other directory specified in jail.local)
For more information about fail2ban, you can read : the official fail2ban manual
Allowing Secured Shell (SSH) remote login is a security risk for your system as it open up your computer to a host of malicious activities. One way to reduce the risk is to disallow root login from SSH, but that is not enough if there are a lot of users in your system and you only want a few of them to be able to login remotely to your server.
This post will detail how to allow or restrict certain users from SSH-ing to your server by editing /etc/ssh/sshd_config file.
DenyUsers / AllowUsers
Is used to allow or deny a number of users.
DenyUsers tom bob alice
AllowUsers mypapit johnmoffet
DenyGroups / AllowGroups
DenyGroups users ftpusers
AllowGroups wheel developers
Ensure that the file is properly saved and restart sshd server for the changes to take effect!
Recommended Books for Secured Shell (SSH) Security
- Implementing SSH: Strategies for Optimizing the Secure Shell
- SSH, The Secure Shell: The Definitive GuidePro OpenSSH (Expert’s Voice in Open Source)
Secured Shell or SSH is a service to enable users to access remote system securely. However, SSH servers depending on password-based authentication might be vulnerable to dictionary-based (or brute-force) attacks by crackers.
Luckily iptables can be used with ‘–limit-burst‘ and ‘–limit’ option to reduce the number of attempts and connection that a cracking tool can make in a period of time.
For example, in order to limit an IP address to making only 5 connections per minute in burst of 2 connections, you can use this iptables rules:
iptables -A INPUT -p tcp --dport ssh -m limit --limit 5/minute --limit-burst 2 -j ACCEPT
This will result in the iptables will only allow up to 5 connections per minute with 2 maximum initial number of connections, which will make any brute-force or dictionary-based attack uneconomical/unfeasible for the server.
Read more about iptables –limit and –limit-burst in Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks
I’ve keep getting the message “ssh_exchange_identification: Connection closed by remote host error” after I managed to finalized my CRUX linux on my decTOP box today. After enough looking into documentations, I finally found out that I need to edit the “/etc/hosts.allow” file to allow SSH connection, for example:
or for more conservative setting
I can connect ssh to my box normally after that.