If you operate a publicly facing server, you no doubt have countless brute force attacks against your machine trying to gain access via SSH. These are mindless attacks that simply attempt to determine your password via a dictionary of words and sometimes (if they are patient) randomly created passwords. Today I’m going to explain a four step approach that renders these attacks worthless in Linux/*nix/BSD environments.

Note, some of the techniques below are specific to OpenSSH installations. I also advise that when you are making changes to your SSH daemon, you always keep an active connection and test your new settings from a fresh connection. That way, if things don’t work as expected you still have that active connection to revert changes.

Step 1: Use a strong password

This one seems like a no brainer, but you would be surprised by the number of people (admins included) that don’t adhere to this simple rule. I am totally shocked every time someone I work with supplies me with a password to a ‘critical’ system and, simply put, the password sucks. A prime example of this is the time I was given the Administrator password for a Windows NT primary domain controller: ‘openpdc’. Please, someone fire that guy…now.

Step 2: Only use SSH2

SSH1 has been depreciated in favor of SSH2. Most, if not all, modern SSH clients should support connecting via SSH2. It is a simple task to make your SSH daemon only accept connections via SSH2. Just fire up your favorite text editor and modify the sshd_config file, which is commonly found in /etc/ssh/sshd_config. Within that file, look for a line that looks like:

Protocol 1,2

And change it to:

Protocol 2

Now, restart your SSH daemon and the server is now only accepting SSH2 connections.

Step 3: Change the port

Most brute force attacks are even really aimed at you specifically. They are just targeting random servers, or servers within a particular subnet. As such, the cracker does not do a port scan to determine what port your SSH daemon is running on. They simply attempt to brute force on port 22. So, changing your port is a good way to get rid of 90% of the noise.

Luckily changing your port is just as simple as forcing SSH2 was in the last step. Again, you will modify the sshd_config file. Look for a line that looks like:

#Port 22

Change it to appear as:

Port 41723

The five digit number should be one that you randomly assign.

Step 4: Use brute force detection

So, you’ve done the first three steps and been proactive. Now, this last step is a purely defensive move. Installing some sort of brute force detection will shut down the crackers attempts once a pattern of abuse has been identified. One of the more popular packages, and the one I recommend, is BFD. When you have BFD in place, along with APF, if a cracker attempts to brute force you too many times, they are simply firewalled away. No more attempts to crack your box. It is wonderful in its simplicity.