I want to decrease the likelihood of a successful ssh attack on a linux system. The only port that is open is 22 (I use port forwarding for everything else), and of course I made sure that ssh accepts only key-pair-based logins (no passwords).
The volume of failed ssh login attempts (output of last -f /var/log/btmp) was fairly large (as anybody opening up port 22 should expect), so for the last 2+ years I've been relying on a variation af the iptables-based solutions often mentioned to block ssh attacks, for example Hundreds of failed ssh logins.
One annoying drawback of such a scheme is that it limits the number of new connections from an ip address per amount of time, no matter whether previous connections from that ip were successful or not and whether they were trying to log in as the same user or not. Imagine a script containing half a dozen of rsync commands used from abroad to update various areas on that server: it typically hits the "new connection limit" and fails somewhere in the middle. The same goes if several users behind a router (showing up as the same IP address) do connect on my server more or less at the same time.
So, I am wondering if, without resorting to parsing the /var/log files, it is possible to implement the following strategy with iptables:
- accept established connections
- allow new connections from previously successful connections
- put IPs with failed connections in jail for some time
Bonus points:
- Same as above, but allowing/jailing specific
user@ipinstead of everybody@ip.
And to attempt to curb botnet attacks:
- Temporarily put in jail a user (no matter which IP (s)he connects from) after a failed ssh attempt.
Without parsing logfiles, you can't know if an ssh login attempt was succesful. Fortunately you don't have to parse those logfiles yourself. fail2ban can do this for you. I generally jail an IP for a week after 3 failed login attempts.
2020 Update
Nowadays I just use
sshguard(on containers) orfail2banwithipset(vm's / bare metal) - all with public keysshlistening on a non standard port. I still limit access to this port withiptablesto my static ip's. Myfail2banconfig blocks attackers for 2 days withbantime = 48h. I still use avpnbut am switching towireguard.See also:
SSH Hardening to add 2 Factor Authentication
Onlykey SSH setup to put your
sshkeys onto a Security Key. It also works withgpgkeys. It is much more secure than having your private keys on your pc. It is physically more secure than a Yubikey due to Onlykey being PIN protected.How to back up your 2FA secret keys with KeePassXC
Use a disposable Qubes vm for generating your keys
I also use Onlykey to secure KeepassXC as a
HMAC-SHA12nd Factor. It can also be used with Linux PAM to login to your system & be required forsudo.With this setup I do not worry about
sshbeing exploited.First of all do not have
sshlisten onport 22to reduce the chance of your port being found by automated scanners.Also use
psadto automatically block hosts which scan your machine for a configurable amount of time (1 hour by default).A very simple solution is to just rent a
64 or 128 megopenvzcontainer & configureopenvpnso you have afixed ip address& then limit youriptablesrule to--source vpn.ip.addresson the host you wish to protect.A better solution is to completely stealth your
sshport withfwknop. There is then no need to runfail2banas yoursshport is closed until you send agpgsigned & encrypted packet from thefwknop-clientwhich will open your firewall for a configurable amount of time (30 seconds by default). You can also configurefwknopto only accept certain ip addresses (such as yourvpn).I have some quite extensive notes here for
fwknop.If you are serious about
sshsecurity you should also be usinged25519keys. More notes here for using secure ciphers withopenssh. Another a good choice istinysshwhich has no dependency onopenssl& is secure by default.All of the software mentioned here exists in Alpine Linux which also benefits from address space layout randomization via
PaXin it's Grsecurity kernel.