# SSH Protection



## jalvaradog (Apr 19, 2009)

Hi.
I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password, fortunately none of them its my user, i dont think will be that easy (but no impossible) to guess my password since has some security, you know, numbers upcase lowercase and stuff like that. Mi question is when the attack starts, can anyone tell me please how to stop it? or some advice about security for my server?

i hope everyone has a nice afternoon, thanks


----------



## vivek (Apr 19, 2009)

You can try any one of the following:

Firewall ssh and allow access from your own static IP only. 

Use pf firewall to limit connection per second. See this example - http://keith.dev-x.net/2008/01/25/EnableAutomaticDefenceAganistSSHAttacksOnFreeBSDUsingPF.aspx

Run ssh server on different port such as 322 

Turn off password based authentication and only use ssh public key based authentication 

Install denyhosts http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/denyhosts/ to drop attacking IPs.

Disable root login.


----------



## danger@ (Apr 19, 2009)

You may have a look at security/bruteforceblocker, too.


----------



## SirDice (Apr 19, 2009)

I use sshguard which can use a variety of firewalls to block bruteforce attacks. Works like a charm.


----------



## danger@ (Apr 20, 2009)

http://forums.freebsd.org/misc.php?do=bbcode#port


----------



## jalvaradog (Apr 20, 2009)

Hey!
I'm new around this forum and already got some good info!!!
Thanks guys, i knew moving from Linux to FreeBSD wasn't bad idea!
I will be around and i will help this community...


----------



## SirDice (Apr 20, 2009)

danger@ said:
			
		

> http://forums.freebsd.org/misc.php?do=bbcode#port



security/sshguard only shows the sshguard port, not the slave ports


----------



## mfaridi (Apr 20, 2009)

I use denyssh , it is work good and work like charm . and it block many IP for me


----------



## vivek (Apr 20, 2009)

denyssh should work with jails also. PF related tools needs real host operating system.


----------



## gnemmi (Apr 20, 2009)

By just running your sshd on a higher port (like 44422) you'll reduce the number of BF attacks to almost 0.

If that isn't good enough, go for pf and or security/bruteforce and then youÂ´ll have solved your problem  =)


----------



## tobe (Apr 23, 2009)

SirDice said:
			
		

> I use sshguard which can use a variety of firewalls to block bruteforce attacks. Works like a charm.



I've increased the time an ip is kept in the ssguard table to 24 hours (-p 86400), so my daily security emails are shorter now 

ps: i don't like to use services on non-standard ports, as i tend to forget the port ^^


----------



## johnblue (Apr 29, 2009)

tobe said:
			
		

> ps: i don't like to use services on non-standard ports, as i tend to forget the port ^^


me too.


----------



## mwatkins (May 3, 2009)

jalvaradog said:
			
		

> I set up a server with apache and ssh a few days ago and since then i've seen some attacks to my server, mostly with a dictionary, kind of trying to guess which is my user and password



If you have limited number of users or only you - use public key rather than password auth and don't worry about the dictionary attacks.

If for some reason you need to keep password auth available, then consider using a firewall - pf - to limit what dictionary attackers can do. Here's a snippet from my pf configuration:


```
# view the table with "sudo pfctl -t ssh-offenders -T show"
table <ssh-offenders> persist 
# offenders lose ssh and get nothing else either - nada
block drop in quick from <ssh-offenders> to any
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 50, max-src-conn-rate 4/10, overload <ssh-offenders> flush)
```

You'll start to see addresses show up in the table soon enough. What the rule does is add any IP which attempts to make a ssh connection 4 times in 10 seconds to the table ssh-offenders. 

Want to see where they are coming from? Install GeoIP from /usr/ports/net/GeoIP, run ``[font="Courier New"]sudo geoipupdate.sh[/font]`` to get the latest table installed, and then execute:


```
for ip in `sudo pfctl -t ssh-offenders -T show`;do echo -n "$ip";geoiplookup $ip;done | sed 's/GeoIP Country Edition: /      /' | sort -t "  " -k 2,2
```

You'll get output like the following (a real example of who has been attacking one of my servers just commissioned over the past few days):


```
201.48.0.117    BR, Brazil
117.32.129.38   CN, China
121.15.207.100  CN, China
123.233.245.226 CN, China
218.22.25.10    CN, China
219.134.242.67  CN, China
219.237.242.165 CN, China
221.122.102.17  CN, China
88.208.119.124  CZ, Czech Republic
217.219.67.86   IR, Iran, Islamic Republic of
194.177.97.103  IT, Italy
202.79.25.251   KH, Cambodia
93.95.65.44     MK, Macedonia
89.238.221.138  RO, Romania
140.113.217.150 TW, Taiwan
173.45.76.212   US, United States
```


----------



## jalvaradog (May 4, 2009)

*Thanks to everyone*

Hi...
Thanks everybody, i fixed the problem using pf, just a couple of weeks ago, sorry i didnt replay is just the time in my work... you most know


----------

