Seems like a brute force SSH attack

December 5, 2014 6.3k views
leobudima
By:
leobudima

Hi all,

looking at my /var/log/auth.log, I noticed an enormous amount of failed SSH login attempts, such as:

error: Could not load host key: /etc/ssh/sshhosted25519_key
Nov 30 14:16:37 <HOSTNAME> sshd[23893]: Failed password for root from 103.41.124.32 port 44584 ssh2

The IP address changes every once in a while, but the attempts are lasting for days now, constantly.

Any suggestions as to what I might do about it?

Thanks!

5 comments
  • theMiddle December 2, 2015

    Hi,

    there's more then one way to mitigate brute force attack against ssh. Obviously the easiest solution is to block all tcp incoming connections to port 22 with iptables, and accept connections only from your static IP address. But is not always possible.

    I usually change the default ssh port (22 tcp) to another (for example 1122 tcp). This can mitigate all automatic brute force attacks by botnet, but is not enough. A user can discover the new sshd port by a simple port scan.

    For this kind of issue, you need to block dinamically each IP that fails authentication to the sshd. For doing that, i've created a bash script that can automatically drop a brute force attack with iptables (log2iptables). You can find it here: https://github.com/theMiddleBlue/log2iptables.

    A little example:

    Download the script

    cd /usr/local/bin
git clone https://github.com/theMiddleBlue/log2iptables.git

    Run log2iptables 

    cd /usr/local/bin/log2iptables
./log2iptables.sh -f /var/log/auth.log -x 1 -r 'sshd.*Failed.password.*from.([0-9\.]+)' -p 1 -l 5

    this will insert a iptables rule that drop all IPs that fail password more than 5 times. You can test it, without insert any rules, removing the -x 1 parameter. You can insert it in crontab and check your auth.log every n time, and receive a notify each time it add a new iptables rule.

    hope this help :)
    bye!

  • leobudima December 2, 2015

    Thanks a million! I've just checked after a while and the situation is the same, so yours is great solution, very helpful and thanks a lot again for your time!

  • theMiddle December 2, 2015

    i'm glad that it can be useful!
    let me know if you have suggestions ;)

    bye!

  • honolua3 April 22, 2016

    theMiddle would you mind helping me out with this? I seem to be having some trouble

  • schmorrison May 19, 2016

    Wow great solution!

    Added 65 IPs to the tables. Haven't seen a failed auth since.

Log In to Comment
2 Answers
ryanpq MOD December 5, 2014

Using fail2ban is a good step to work against this type of traffic. Fail2ban will automatically block IP addresses after a specified number of failed login attempts. You can find a tutorial on setting up fail2ban on your droplet here.

Reply
Jason2605 November 17, 2017

This seems to be a very old answer so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site
PyFilter github

Reply
Have another answer? Share your knowledge.