You are not logged in.

#1 2020-03-16 02:36:34

AquaSZS
Member
Registered: 2016-06-26
Posts: 19

Defending against distributed brute-force SSH attempts

I have been receiving constant SSH login attempts lately, each from different IP addresses on different ports. Thankfully, I have set up RSA key login, so they have nearly zero chance of succeeding. However, the sheer volume of these attempts still concerns me and clogs system logs.

What can I do to mitigate this? Conventional suggestions like Fail2Ban won't work in this case, since the attacker never uses the same IP again.

Sample log (this goes on for days!):

Mar 14 00:01:43 march sshd[15526]: Connection closed by 121.229.59.100 port 49818 [preauth]
Mar 14 00:01:47 march sshd[15528]: Connection closed by 46.218.85.122 port 50536 [preauth]
Mar 14 00:12:34 march sshd[15534]: Connection closed by 158.174.171.23 port 53174 [preauth]
Mar 14 00:34:50 march sshd[15540]: Connection closed by 14.29.177.149 port 52466 [preauth]
Mar 14 00:38:52 march sshd[15542]: Connection closed by 187.217.199.20 port 49862 [preauth]
Mar 14 00:41:30 march sshd[15545]: Connection closed by 51.38.48.242 port 46436 [preauth]
Mar 14 00:42:22 march sshd[15548]: Connection closed by 202.107.238.14 port 33608 [preauth]
Mar 14 00:43:12 march sshd[15550]: Connection closed by 159.65.12.204 port 36232 [preauth]
Mar 14 00:50:39 march sshd[15553]: Connection closed by 201.192.152.202 port 60492 [preauth]
Mar 14 00:51:47 march sshd[15555]: Connection closed by 157.245.110.95 port 36942 [preauth]
...

Last edited by AquaSZS (2020-03-16 02:37:21)

Offline

#2 2020-03-16 02:43:54

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 17,116

Re: Defending against distributed brute-force SSH attempts

Yep.  I do use sshguard just to cut down on noise in the journal; and to provide a level of satisfaction as addresses are banned.

But, it is like farting in the wind.  Nothing beats locking down sshd by denying password logins.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2020-03-16 07:16:04

kokoko3k
Member
Registered: 2008-11-14
Posts: 1,941

Re: Defending against distributed brute-force SSH attempts

1) It is not "on", but "from" different ports.
...so changing the listening  port from time to time should help.

2) if it is feasible for your use cases, check port knocking too: https://wiki.archlinux.org/index.php/Port_knocking

Last edited by kokoko3k (2020-03-16 07:19:27)

Offline

#4 2020-03-16 08:38:45

seth
Member
Registered: 2012-09-03
Posts: 14,014

Re: Defending against distributed brute-force SSH attempts

In addition and if legit inbound is geographically limited: https://linoxide.com/linux-how-to/block … ip-addons/
While not a real security measure, moving away from ports 22 & 443 will keep the kids out.

You want to establish the IP/port blocks as far out as possible (eg. in your consumer router if this is a private system) to prevent DDoS effects.

Offline

#5 2020-03-16 14:58:27

kokoko3k
Member
Registered: 2008-11-14
Posts: 1,941

Re: Defending against distributed brute-force SSH attempts

ewaller wrote:

Yep.  I do use sshguard just to cut down on noise in the journal

Can i ask you how you kept ssh logs out of systemd journal (if i understood properly!)?

Offline

#6 2020-03-16 16:18:44

herOldMan
Member
Registered: 2013-10-11
Posts: 109

Re: Defending against distributed brute-force SSH attempts

Reject them at the gateway not the workstation.

I have pFSense firewall/gateway/routers deployed in several locations. They allow you to ban by subnet, country, and blocklists of bad actors.

Offline

Board footer

Powered by FluxBB