# Best way for block ssh attack without Firewall



## mfaridi (Dec 13, 2008)

I use FreeBSD and I use denyhost for block ssh attack , I do not want use Firewall like PF and IPFW , 
can I find best way for block SSH , 
Denyhost block 200 ssh for me in one day.
Can I find best way ???


----------



## graudeejs (Dec 13, 2008)

1) disable SSH (the most secure, method. lol)
2) change default port to much higher (by default it is port 22, everyone know that)
3) use long and hard to break password
4) disable root login to ssh, only enable user to log in and then su or even better sudo to root (everyone know there's root on Unix)
5) Change passwords frequently
n) Try using google for more


----------



## Lucian (Dec 13, 2008)

For me changing the port has worked wonderfully against automated brute force atempts.


----------



## SaveTheRbtz (Dec 13, 2008)

# cat pf.conf

```
block quick proto tcp from <brute> to any port 22
pass quick proto tcp from any to any port 22 keep state \
        (max-src-conn-rate 20/60, overload <brute> flush global)
```
works fine for me.

I had some troubles rewriting management shell scripts using non-standatr ssh ports.


----------



## danger@ (Dec 13, 2008)

even better would be to use ssh-keys rather than passwords;
other ideas are still applicable though.


----------



## graudeejs (Dec 13, 2008)

danger@ said:
			
		

> even better would be to use ssh-keys rather than passwords;
> other ideas are still applicable though.



i wanted to write that, but forgot....lol
btw is it possible to combine keys and passwords


----------



## r-c-e (Dec 13, 2008)

check out sshguard in ports, it can use hosts.deny instead of firewall if you want to do it that way.


----------



## businessgeeks (Dec 14, 2008)

changing the ssh port does a good job to discourage casual hackers.


----------



## Pushrod (Dec 15, 2008)

I have it on port 2222, and on port 22, but 22 is blocked completely unless you are on my approved list of ssh-ers.

In other words, I use a firewall, which exactly doesn't answer your question.


----------



## braveduck (Dec 15, 2008)

I would suggest to use all of the mentioned above:

1) Running ssh on another port
2) Use keys instead of passwords
3) Use firewall rules together with port-knocking method (security/knock)


----------



## anomie (Dec 16, 2008)

mfaridi said:
			
		

> I do not want use Firewall like PF and IPFW ,
> can I find best way for block SSH



Do you specifically want to avoid a packet filtering firewall? i.e. Would tcp wrappers or @HOST sshd directives be acceptable? 

To ask the question another way: Do you want to restrict access by subnet, but wish to avoid "firewalls" for some reason?


----------



## chrcol (Dec 18, 2008)

SaveTheRbtz said:
			
		

> # cat pf.conf
> 
> ```
> block quick proto tcp from <brute> to any port 22
> ...



that allows 20 every 60 seconds right per ip? if exceed then goto brute table?


----------



## SaveTheRbtz (Dec 18, 2008)

Correct. May be 60 is too many for ssh. You may set to 10 or 5. But it very unpleasant when your firewall is blocking your connection to box.

We also use that system to block virussed spammers inside our network

```
block quick proto tcp from <spammers> to any port 25
pass quick proto tcp from <grey_clients> to any port 25 keep state \
        (max-src-conn-rate 15/60, overload <spammers> flush global)
```


----------



## syadnom (Dec 26, 2008)

1)limit ssh to specific networks in ssh config
2)limit access to ssh from specific hosts
3)use keys and not passwords.
4)change ssh port from 22.
5)limit ssh to specific user accounts.
6)use a good password.
7)obscure system access but allowing logins to low privilege accounts and setup sudo to grant access to a privileged shell and only that.


----------



## uisge (Dec 26, 2008)

I'm using the following strategy:

1) use different port to get rid of annoying log entries
2) PermitRootLogin no
3) AllowUsers <very odd and long username> (only user allowed!)
4) That <very odd and long username> is an unprivileged user
5) su from <very odd and long username> into <priviledged user> which is member of wheel group
6) su from <priviledge user> into root, if needed


----------



## BeastieBoy (Jul 4, 2010)

Old post, but still relevant and appears well ranked in search engines.

For me changing the ssh port to <something_else> works very well. Kiddies won't spend time probing you ports and will move on to the neighbour's.


----------



## soupbowl (Jul 6, 2010)

What everyone else said is great.
As for me: 
1. I use port 2222, 
2. a strong password, 
3. in /etc/sshd/sshd_config I use 'AllowUsers' and restricted who has access to login
4. I use denyhosts "http://www.freshports.org/security/denyhosts/" It rocks.


----------

