In the digital age, securing your server from online threats is of utmost importance. One of the most common types of attacks is SSH brute-force attacks. This article will guide you through various steps to secure your Ubuntu server from these attacks.
To secure your Ubuntu server from SSH brute-force attacks, you can implement RSA authentication, limit connections using iptables, whitelist trusted users, change the SSH port, use tools like fail2ban or denyhosts, monitor and restrict network access, and regularly update your server’s software and apply security patches.
Understanding SSH Brute-Force Attacks
SSH (Secure Shell) brute-force attacks involve an attacker attempting to gain access to your server by guessing the login credentials. The attacker uses automated scripts to try multiple combinations of usernames and passwords until they find a match.
Step 1: Implement RSA Authentication
One of the most effective ways to prevent SSH brute-force attacks is to use RSA authentication. This method replaces password authentication with public/private key authentication, which is more secure.
To generate a new RSA key pair, use the following command:
ssh-keygen -t rsaThis command will create a new RSA key pair and store it in the .ssh directory in your home folder. The -t rsa option specifies the type of key to create.
Step 2: Limit Connections Using iptables
iptables is a powerful firewall built into Linux systems. You can use it to limit the number of SSH connections per minute, making brute-force attacks less effective.
Here are some example iptables rules:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROPIn these commands, -A INPUT appends a rule to the INPUT chain, -p tcp --dport 22 specifies TCP protocol and port 22 (SSH), -m state --state NEW matches new connections, and -m recent --set --name SSH sets up the recent module with a specific name. The --update --seconds 60 --hitcount 4 --rttl options limit new connections to 4 per minute. The LOG and DROP targets log the matched packet and drop it, respectively.
Step 3: Whitelist Trusted Users
To ensure that trusted users are not affected by the connection limits, you can create a whitelist. Here are the iptables rules for the whitelist:
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROPIn these commands, -N SSH_WHITELIST creates a new chain named SSH_WHITELIST, and -s $TRUSTED_HOST specifies the trusted host’s IP address. The --remove option removes the source IP from the list, and -j ACCEPT accepts the packet.
Step 4: Change the SSH Port
Changing the default SSH port (22) to a non-standard port can help reduce the number of brute-force attacks as attackers often target the default port.
To change the SSH port, edit the SSH configuration file using the following command:
sudo nano /etc/ssh/sshd_configFind the line that says Port 22 and change 22 to your desired port number. Save and close the file, then restart the SSH service with sudo service ssh restart.
Step 5: Use fail2ban or denyhosts
Tools like fail2ban or denyhosts can automatically detect and block IP addresses that attempt brute-force attacks. These tools monitor the server logs and add offending IP addresses to the blocklist.
To install fail2ban, use the following command:
sudo apt-get install fail2banStep 6: Monitor and Restrict Network Access
Work with your network administrator to monitor and restrict network access to the server. This can help prevent simple DoS/DDoS attacks and limit the exposure of the server to potential attackers.
Regular Updates and Patches
Lastly, remember to regularly update your server’s software and apply security patches. This will ensure that the latest security measures are in place.
By following these steps, you can significantly enhance the security of your Ubuntu server and protect it from SSH brute-force attacks.
SSH brute-force attack is a type of cyber attack where an attacker uses automated scripts to repeatedly attempt to gain unauthorized access to a server by guessing the login credentials, such as usernames and passwords.
RSA authentication is more secure than password authentication because it uses public/private key pairs. The server holds the public key, while the user keeps the private key. This eliminates the need to transmit passwords over the network, making it harder for attackers to intercept and guess the correct credentials.
To generate a new RSA key pair, you can use the ssh-keygen command with the -t rsa option. This command will create a new RSA key pair and store it in the .ssh directory in your home folder.
You can limit SSH connections using iptables by adding specific rules to the firewall configuration. These rules can restrict the number of SSH connections per minute from a specific IP address, making brute-force attacks less effective.
To create a whitelist of trusted users, you can use iptables to allow specific IP addresses or ranges. By adding rules to the firewall configuration, you can ensure that trusted users are not affected by the connection limits imposed to prevent brute-force attacks.
Changing the default SSH port from 22 to a non-standard port can help reduce the number of brute-force attacks. Attackers often target the default port, so changing it can make it harder for them to find and attack your server.
fail2ban and denyhosts are tools that can automatically detect and block IP addresses that attempt brute-force attacks on your server. These tools monitor the server logs and add offending IP addresses to a blocklist, effectively preventing further access attempts from those addresses.
You can install fail2ban by using the sudo apt-get install fail2ban command. This command will download and install the fail2ban package from the Ubuntu repositories.
Monitoring and restricting network access to your server is important to prevent simple DoS/DDoS attacks and limit the exposure of your server to potential attackers. By working with your network administrator, you can implement measures to ensure that only authorized users and systems can access your server.
Regularly updating software and applying security patches is crucial to maintaining the security of your server. Software updates often include bug fixes and security enhancements that can protect against known vulnerabilities and exploits. Keeping your server up to date ensures that you have the latest security measures in place.
