Zeroday 01100100011010010

There are some excellent articles out there on how to keep your servers from allowing brute force tactics. Brute forcing an SSH server is fairly simple. Setup a bot to try a dictionary worth of passwords against some common usernames. My logs were filled with these attempts.
Aside from obvious password policy rules there are some other nifty ideas to limit the damage here. I don’t think anyone will succeed in brute forcing the passwords I choose but I’m still not setup to use certificates for authentication. This is perhaps the best way to defeat this type of brute force attack of course.
The article I’ve listed shows a method of using iptables to limit the amount of incoming attempts for the ssh protocol.
The two rules below check when a new connection for port 22 (the default sshd port) is established and if the hit count for logins exceeds 10 in one minute the IP is dropped.

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 11 -j DROP

To tweak these settings you can try adjusting the –hitcount parameter and the –seconds parameter.

This is not bulletproof. If the attacker has a bot army then each zombie can send one or two password attempts and then shift IP and let the next bot try three and four, then shift again, etc.
That’s a fairly complicated attack and if someone is that organized and attacking you trouble is coming regardless. Again the best thing to do would be:
1) use cert authentication only
2) add your ip’s into ssh.allow