preventing-brute-force-ssh-attacks

1- If you will always be connecting to your server from the same IP address, you can firewall off port 22 to everything EXCEPT your own IP address.

iptables -A INPUT -p tcp -d 0/0 -s YOUR.IP.GOES.HERE --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP

Then run 'iptables-save'

Note: if you setup IP tables this way then it may cause you to lose ssh access to your server if your IP ever changes. And it can also make access to your server by RimuHosting staff more difficult.

2- Run sshd on a non-standard port. Since most automated attacks only attempt to connect on port 22, this can be an effective way to hide from many attackers. To configure this, just change the Port line in /etc/ssh/sshd_config and restart ssh

Port 1022

3- Use the AllowUsers directive in the ssh configuration to only allow certain users or IP's. In /etc/ssh/sshd_config, you can specify a list of allowed users like this:

AllowUsers bob john root@11.22.33.44 root@99.88.77.66

This will allow users 'bob' and 'john' to log in from anywhere, and root is only allowed to log in from those two IP addresses.

4- Use strong passwords! Brute force attempts will try common passwords like words (or combinations of words) in a dictionary, names, and common passwords. Strong passwords generally use a combination of upper and lower-case characters, numbers, and non-alphanumeric characters.

5- Don't use passwords at all. Instead, install your public key on the server and use it to log in. If all of your users will use public keys, you can set PasswordAuthentication to 'no'. To disable password authentication just for root, use 'PermitRootLogin without-password'. For Debian/Ubuntu, you'll also need to turn off 'UsePam' and 'ChallengeResponseAuthentication'.

6- If you need to permit logins from arbitrary addresses, consider using a program like DenyHosts (http://denyhosts.sourceforge.net/) or Fail2ban. They watch for failed logins and add the IP addresses of attackers to /etc/hosts.deny and/or update firewall rules to null route them. DenyHosts can also be configured to synchronize with a global database so you can proactively deny hosts that other users have blacklisted.

7- Use 'hashlimit' in 'iptables':

iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min 
--hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT

This rule limits one connection to the SSH port from one IP address per minute.

For more information, 'man iptables' and 'iptables -m hashlimit --help'.

8 - Use port knocking to completely hide the port your SSH server is listening too.

If you manage to lock yourself out, you can always log in using your root password via the Console over SSH feature.