Protecting against SSH dictionary attacks
This article describes some common ways of avoiding falling prey to SSH dictionary attacks — repeated login attempts over SSH.
SSH dictionary attacks
A common form of abusive activity seen on the Internet is the SSH dictionary attack. Some compromised hosts constantly scan for other Internet hosts with the SSH port (22) open, and when they find one they try a very large dictionary of possible user names and passwords. If access is obtained, the attacker will likely use the compromised host for further abuse such as more SSH scanning, denial of service attacks, and hosting of illegal content.
These scans are indiscriminate; they are not targeted personally at any one person, organisation or site, they're just scanning the whole Internet or large subnets.
If your VPS gets compromised
If your gets compromised then it's possible that it will remain compromised for some time before anyone discovers this. Should it engage in abusive activity such as performing SSH dictionary attacks itself then BitFolk may detect this. The usual course of action at this point is for your network access to be disabled and for you to be contacted.
You'll then need to convince yourself and BitFolk that root access has not been obtained. If root access has been obtained (or there is reasonable doubt) then BitFolk will insist that you re-install your VPS from scratch. BitFolk will be unable to provide hosting to customers who repeatedly allow their services to become compromised.
Protecting against dictionary attacks
It is absolutely vital that all VPS customers protect against SSH dictionary attacks. In no particular order, here are some methods for doing so. Many of them can be combined.
Disable password-based authentication
Use only SSH public keys to log in to your VPS.
Advantages | Disadvantages |
---|---|
|
|
Firewall off or restrict access to port 22
Use a firewall and/or TCP Wrapper to restrict access to port 22 to only certain source addresses.
Advantages | Disadvantages |
---|---|
|
|
Restrict SSH login to only certain user names
Using the AllowUsers directive of the sshd configuration it is possible to restrict the login ability to only the stated user names.
Advantages | Disadvantages |
---|---|
|
|
Move sshd to a different port other than 22
Advantages | Disadvantages |
---|---|
|
|
Use a log scraper to firewall abusive hosts
Log scrapers like Fail2Ban or denyhosts can be configured to spot abusive activity by remote hosts, and apply firewall rules against them.
Advantages | Disadvantages |
---|---|
|
|
Use iptables (IPv4) and/or ip6tables (IPv6) to firewall abusive hosts
Firewalls can be configured to spot abusive activity by remote hosts, and apply rules or chains against them.
Some examples of firewall scripts used to thwart dictionary attacks.
Advantages | Disadvantages |
---|---|
|
|
Only use strong passwords
Advantages | Disadvantages |
---|---|
|
|
Things to avoid doing
Tales of woe from previously-compromised customers.
- "I set up a new user and gave him a user name of john, password of john, but he never changed his password despite me asking him to!"
- "I put a weak password temporarily on my mysql user just while I did some work, but then I forgot to remove it!"