Hackers never cease trying any possible way to take control of servers connected to Internet.
The most common attacks are maybe those directed against the web service, leveraging any known vulnerabiliy in the underlying CMS: Joomla, WordPress, Drupal,… or implementation weaknesses of the service offered (SQL injection, etc.)
Together with these, servers are also exposed to attacks against the SSH service. SSH is a secure protocol used often by system administrators to open interactive sessions to the server. It is also used by automated procedures that use the rcp, rsync, sftp or similar commands to perform backups, and other administrative tasks.
This post explains some of the safety measures that can be taken to reduce the risk of hackers breaking into the system via SSH, and reduce the (sometimes significative) load that these attacks put on the server.
1. How to detect if the SSH service is being the target of an attack
Although the SSH protocol provides a security layers by encrypting the messages that are sent through the network, hackers often direct brute force attacks that try to break the system trying to login with common usernames and all possible passwords taken from a dictionary.
The best way to verify if a server if being subject to this type of attack is by looking at the log file. On a Linux system, the ssh service access log is kept in a file /var/log/auth.log.
In the log file of our sample server, we could see that every day there are a fair number of failed connection attempts:
/var/log$ sudo grep "Invalid user" auth.log Jan 9 06:35:37 gf1 sshd: Invalid user amelie from 184.108.40.206 Jan 9 06:43:00 gf1 sshd: Invalid user admin from 220.127.116.11 Jan 9 06:57:47 gf1 sshd: Invalid user ubnt from 18.104.22.168 ...
As we can see, hackers try to connect with usernames such as “admin” or “ubnt”. Thus, the first security measure that can be taken is avoid using common, easy to guess usernames.
Being “root” the most well known username in a linux system, it is also highly advisable to configure the system to reject any attempt to log in as user root. Instead, system administrators should get used to log in as an unprivileged user, and only run commands as root (using “sudo”, or using “su” to become root) when needed.
2. Forbid direct ssh connections as user root
On a Linux system, the default configuration file for the ssh service is /etc/ssh/sshd_config.
Inside this file, the PermitRootLogin directive can be set to “no” to forbid login attempts as user “root”:
3. Change the TCP port where the ssh service listens
Other possible meaure is configuring the ssh service to listen for connections on a port other than the default port 22.
This is a measure of a type known as “safety by obfuscation”. The ssh service will not be attacked if the attacker doesn’t know which port is ssh listening to.
Security by obfuscation is a controversial safety measure, because it doesn’t really increase the security level. For instance, if the attacker is determined to break into a given site, a port scanning will reveal those ports where the server is listening. Anyways, this measure can help relieve the server from the load imposed by a large number of accesses performed by robots that only target the default ports.
The port where the sshd service will be listening for connections can be specified with the “Port” directive in the configuration file /etc/ssh/sshd_config.
Once the port has been configured and the sshd service has been restarted, the new port will have to be specified in all commands used to connect to the server via ssh.
4. Grant SSH access to some IP addresses only
There are several ways to restrict access to the server based on the source IP address and port (firewalling). Among them, the most well known are iptables and TCP wrappers.
The ufw (Uncomplicated FireWall) package, and optionally the gufw package (graphical interface to ufw) can be of great help to setup and maintain the set of firewall rules used by iptables.
5. Automatically detect brute force attacks
There are several utilities that perform a real-time analysis of the ssh access log file (/var/log/auth.log), to detect brute force attacks, and ban the offending IP addresses.
The most well known package of this type for Linux systems is probably fail2ban. fail2ban can work in combination with iptables or TCP wrappers, adding firewall rules that temporarily deny access to the server to the IP addresses where the attacks are originated.
Other utility of this type is “blockhosts”. “blockhosts” works in combination with TCP wrappers.