linux poison RSS
linux poison Email

Block ssh brute force attack on OpenSuSe

A brute force attack consists of trying every possible code, combination, or password until you find the right one.

As an example, imagine a system which only allows 4 digit PIN codes. This means that there are a maximum of 10,000 possible PIN combinations.

From the example above, PIN security could be increased by:
    * Increasing the length of the PIN
    * Allowing the PIN to contain characters other than numbers, such as * or #
    * Imposing a 30 second delay between failed authentication attempts
    * Locking the account after 'x' failed authentication attempts

Will try to implement the option #3 & #4 in OpnSuSe using SuSEfirewall
open your favorite editor and edit file: /etc/sysconfig/SuSEfirewall2:

# Add the following rule
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

# Now Restart firewall:
rcSuSEfirewall2 restart

Now attacker will just have 3 attempts to break in.

I hope this tutorial has been useful for you too! If you've enjoyed this post, please consider subscribing to Linuxpoison for future updates and more.


4 comments:

Patrick Regan said...

I think you mean options 3 & 4 not 2 & 3.

Otherwise good post. Something I like to use is DenyHosts.

http://denyhosts.sourceforge.net/

Works wonders for me.

MarsianMan said...

I don't know about using OpenSuse, but on Debian I really like DenyHosts. It supports centralized blocklists (optionally, of course) and blocks addresses based on customized combinations of attempts and time. I can set it to block an address if they try more than twice (or 100 times) in 30 minutes (or 3 days). It can also remove addresses from the blocklist after a designated time.

j said...

it can be all of them:

* firewall
iptables...--limit 3/minute--limit-burst 1...
* inetd hosts.allow/deny
* fail2ban
* sshd_config : PasswordAuthentication = no

Anonymous said...

I used to like DenyHosts but found it vulnerable to log injection attacks where an attacker injects strings into your logs, resulting in any IP they select getting blocked.
See: http://www.ossec.net/main/attacking-log-analysis-tools

I now use IPtables to rate limit new SSH connections.
http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/

Post a Comment

Related Posts with Thumbnails