When running a server, SSH is one of the services nearly instantly gets checked out by bad guys. After only a couple of hours of going live with your server, you might already notice someone trying to login with passwords from a dictionary. There are some things you can do to reduce these hacking attempts to your SSH server.
Change the listening port
One of them is to move the ssh server to a different port. As soon as ssh is not listening any more to the default port, the number of hacking attempts should reduce a lot. To change the default SSH server port, see Change SSH port in CentOS with SELinux.
Only allow certain users
Another precaution is to limit the group of users that is allowed to login to only what is necessary. It is good practice to prevent any user that is not absolutely necessary from logging in via ssh. The ssh daemon provides configuration to only allow logins from users that are a member of a specific group.
I suggest to not reuse any other group but create a new empty group just for the purpose of limiting the access to ssh:
groupadd ssh_login_group
With this new group created, the users who need to access the server via ssh need to be added to this group:
usermod username -a -G ssh_login_group
With the users added to the group, the ssh daemon needs to be configured. Open the config file /etc/ssh/sshd_config with your favourite editor and add these lines:
PermitRootLogin no AllowGroups ssh_login_group
Before continuing, the following tip is just a precaution in case something went wrong. SSH will not kick you out of an open ssh session even when restarted. I suggest after restarting the ssh server to stay connected with the current session and test the new configuration with a second console. This way you can avoid accidentally locking yourself out.
Restart the ssh server now and test in a second console that a user in the ssh_login_group is still allowed to login, and a user like root is now not allowed to login.
Block suspicious behaviour
When someone tries to hack into SSH they often show a specific behaviour. Most likely the hacker will try to login with different passwords to find the correct one. Those failed login attempts get logged in the “/var/log/secure” logfile.
Sep 3 20:02:26 hostname sshd[19432]: Failed password for gsteinbeis from 123.123.123.123 port 61207 ssh2
There are tools that pick up those lines and when they apear mutliple times from the same IP address, the IP gets blocked. One of those tools is called fail2ban.
On CentOS fail2ban is part of the rpmforge repository. Instructions to add the repository can be found at the CentOS wiki. Use yum to install fail2ban:
yum install fail2ban
After installing fail2ban, all so-called jails are disabled and fail2ban is of course not started. First the ssh-iptables rule needs to be enabled in the “/etc/fail2ban/jail.conf” configuration file. Here is how the configuration might look after enabling it. If you have chosen to use a different port then 22, just replace the port in the action:
[ssh-iptables] enabled = true filter = sshd action = iptables-multiport[name=SSH, port="22,1234", protocol=tcp] sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 bantime = 3600
If you have just one port for ssh, use the action “iptables” instead of “iptables-multiport” and define the ports as port=22.
Now that it is configured, fail2ban needs to be started:
/etc/init.d/fail2ban start
I would suggest that you test by connecting from another server or client and deliberately enter an incorrect password. As it is configured above, after the fifth failed login attempt, the IP address will be blocked. The time span in which the 5 attempts are counted can be configured with the “findtime” setting and the time the IP will be banned is defined by the “bantime” setting in the “[ssh-iptables]” section inside the “/etc/fail2ban/jail.conf”. In the “/etc/fail2ban/jail.conf”, you also have a default value for ‘bantime’ value if you do not specify it inside the separate section:
bantime = 600 findtime = 600
In the example, when the 5 failed login attempts are found within 600 seconds (10 minutes) it will then block the IP for 3600 seconds (1 hour).
Read more of my posts on my blog at http://blog.tinned-software.net/.
