VPS prevents SSH Brute Force Login Attempts

Previously, I talked about how to block scanning of website servers, which is a front-end defense. Later, Felix posted a blog saying that he had to drop the IP address ban that failed to log on to the SSH service for many times, so he remembered to look at the log. He did not expect that the backyard was on fire.

View log files:

$ Sudo cat/var/log/auth. log
I did not expect full screen downloading, all

Failed password for root from 123.15.36.218 port 51252 ssh2
Reverse mapping checking getaddrinfo for pc0.zz.ha.cn [218.28.79.228] failed-possible break-in attempt!
Invalid user akkermans from 218.28.79.228
Pam_unix (sshd: auth): check pass; user unknown
Pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 218.28.79.228

Count how many people are cracking my root password.

$ Sudo grep "Failed password for root"/var/log/auth. log | awk '{print $11}' | sort | uniq-c | sort-nr | more
 
470 222.122.52.150
411 123.15.36.218
139 177.8.168.48
20 74.81.83.226
18 77.108.112.131
2 95.58.20.62
1 218.28.79.228
1 188.13.03.154
Obviously, I disabled root logon, and people were not so stupid. I started to guess the user name.

$ Sudo grep "Failed password for invalid user"/var/log/auth. log | awk '{print $13}' | sort | uniq-c | sort-nr | more
 
3190 218.28.79.228
646 222.122.52.150
172 123.15.36.218
65 177.8.168.48
4 222.76.211.149
Someone tried it for more than 3000 times. Well, is there such a valuable lovelucy blog .. To prevent this, we can make some configurations to make the VPS server more secure.

1. Modify the SSH port and disable root login.
Modify the/etc/ssh/sshd_config file

$ Sudo vi/etc/ssh/sshd_config
Port 4484 # A Port number that someone else cannot guess
PermitRootLogin no
 
$ Sudo/etc/init. d/ssh restart
2. Disable password logon and use the RSA private key for logon.
The Amazon EC2 server is only allowed to log on with the private key, but in this case, if I want to temporarily access SSH on another computer without the private key file, it will be very troublesome. Therefore, I manually enable password verification for logon. In any case, list this item first.

# Generate a key on the client
$ Ssh-keygen-t rsa
# Copy the public key to the server
$ Ssh-copy-id-I. ssh/id_rsa.pub server
# You can manually copy. shh/id_rsa.pub to the. ssh directory of the server user. Remember to modify the access permission.
# $ Scp. shh/id_rsa.pub server :~ /. Ssh
# On the server
$ Cd./. ssh/
$ Mv id_rsa.pub authorized_keys
$ Chmod 400 authorized_keys
$ Vi/etc/ssh/sshd_config
RSAAuthentication yes # RSA Authentication
PubkeyAuthentication yes # enable public key verification
AuthorizedKeysFile. ssh/authorized_keys # verify the file path
PasswordAuthentication no # Password Authentication prohibited
PermitEmptyPasswords no # Do not enter a password
UsePAM no # disable PAM
 
# Save and restart
$ Sudo/etc/init. d/ssh restart
3. Install denyhosts
This method saves time and effort. Denyhosts is a program written in Python. It analyzes the sshd log file and records IP addresses to/etc/hosts when repeated logon failures are found. deny file to achieve the automatic screen IP function. This is the same as what I introduced earlier.Automatically shield scanning scriptsIs an idea. If you manually add them, you will not be exhausted. Today, denyhosts is available in various release software repositories and does not require too many configurations. It is easy to use.

Install: www.2cto.com

# Debian/Ubuntu:
$ Sudo apt-get install denyhosts
 
# RedHat/CentOS
$ Yum install denyhosts
 
# Archlinux
$ Yaourt denyhosts
 
# Gentoo
$ Emerge-av denyhosts
The default configuration can work well. to customize the settings, you can modify/etc/denyhosts. conf.

$ Vi/etc/denyhosts. conf
SECURE_LOG =/var/log/auth. log # ssh log file, which is determined based on this file.
HOSTS_DENY =/etc/hosts. deny # control user login files
PURGE_DENY = # How long will it take to clear the banned items? If it is null, it will never be lifted.
BLOCK_SERVICE = sshd # The name of the service that is forbidden. To add other services, add a comma to keep up with the corresponding service.
DENY_THRESHOLD_INVALID = 5 # number of failures allowed for invalid users
DENY_THRESHOLD_VALID = 10 # number of failed login attempts allowed by common users
DENY_THRESHOLD_ROOT = 1 # number of failures allowed for root Login
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR =/var/lib/denyhosts # Running directory
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP = YES # whether domain name anti-resolution is performed
LOCK_FILE =/var/run/denyhosts. pid # process ID of the program
ADMIN_EMAIL = root @ localhost # administrator email address, which will send an email to the Administrator
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody @ localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID = 5d # after which the user's logon Failure count will be reset to 0 (h indicates the hour, d indicates the day, m indicates the month, w indicates the week, and y indicates the year)
AGE_RESET_ROOT = 25d
AGE_RESET_RESTRICTED = 25d
AGE_RESET_INVALID = 10d
RESET_ON_SUCCESS = yes # If an ip address is successfully logged on, check whether the logon count failed is reset to 0.
DAEMON_LOG =/var/log/denyhosts # Your Own log File
DAEMON_SLEEP = 30 s # interval of each log file read when running in a later mode.
DAEMON_PURGE = 1 h # The interval between the PURGE_DENY and termination of old entries in HOSTS_DENY when the server is running in later mode. This will affect the interval between PURGE_DENY.
Check my/etc/hosts. deny file and find that there are eight records in it.

$ Sudo cat/etc/hosts. deny | wc-l
8