Keep your SSH Server Secure
Table Of Contents :
2. Securing SSH Server
As we know that there are some well known ports that run different services on them.like port 22 for SSH ,port 20/21 for FTP,port 80 for HTTP ,port 443 for HTTPS ,port 3306 for mysql etc... If admin keeps these ports open then they must secure it by configuring them properly.
So in this article we will configure SSH Server properly so that we can secure them from different attacks!
Here we will use two machines
1. Kali Linux (name as 1) // Attacker machine
2. Kali Linux on virtual box(name as 2) // where SSH Server is running
Securing SSH Server
IP of Kali Linux 2 is 192.168.43.105.
So here we will use hydra for bruteforce attack. Please see the “Beginners guide to bruteforce attack” to use hydra
With the help of hydra we are able to guess the right login password . So this is a big issue, because now we have root user’s password and we can connect to SSH very easily and can control a system remotely
Stopping Bruteforce attack
To stop bruteforce attack against SSH we are going to use two methods
1. Edit /etc/hosts.deny file
2. Using IP tables
Open /etc/hosts.deny file in Kali Linux 2 machine ,you can use any editor .
Add the line sshd : IP Address to block
And save the file ,now restart the SSH Server by using the command sudo systemctl restart ssh
Now open your kali linux 1 machine and try to bruteforce as we have done in the starting of this article.
Now this time we can’t perform bruteforce attack!This is the first way to stop bruteforce attack against SSH Server.
Now 2nd method is by using the IP table:
Here admin can set iptable chain rules for a certain number of login attempts and if user crossed the defined number then the account will get locked for some time period as specified by admin
Type the given below command to set iptable chain rule for account lockout:
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
The first rule tells the system:TCP packets are going to come in, that will attempt to establish an SSH connection. Mark them as SSH. Pay attention to the source of the packet.
The second rule says: If a packet attempting to establish an SSH connection comes, and it's the fourth packet to come from the same source in thirty seconds, just reject it with prejudice and stop thinking about it.
The third and fourth rules mean: If an SSH connection packet comes in, and it's the third attempt from the same guy in thirty seconds, log it to the system log once, then immediately reject it and forget about it.
The fifth rule says: Any SSH packet not stopped so far, just accept it.
Please change the interface according to your setup and adjust hitconts and no. of seconds according to your need and remember that the second rule has a hitcount that is one higher than the ones following it -- this is a precaution to stop the packet from continuing down the chain of rules, so brute forcing won't spam your logs.
Now open your Kali Linux 1 machine to perform bruteforce attack.
As we can see that this time we are not able to find login password using bruteforce attack and it has prevented by stopping brute force after 2 attempts but will get activated after 30 seconds therefore admin should be locked the account for a long period of time.
Other Security methods for SSH :
Open /etc/ssh/sshd_config file in your machine where SSH Server is running and and find the line that says Port 22 and change it to Port 222 to redirect SSH to port number 222.
Save the file and restart the server by using the command that we have used earlier . Now to check if SSH Server is running on the defined port or not run the command
nmap -sV 192.168.43.105 as we can see now ssh is running on port 222 and by default hydra attacks on port 22 so now attacker has to think for sometime if the SSH is on port 22 or it is running on some different port.
Prevent Banner grabbing
This is the most important thing to do because there are chances that admin is using some older version of SSH Server with known exploits so attacker will take help of banner grabbing to know the version and will take further steps accordingly to exploit the server.