top of page

Keep your SSH Server Secure

Table Of Contents :


1. Introduction

2. Securing SSH Server


Introduction


As we know that there are some well known ports that run different services on them.like port 22 for SSH ,port 20/21 for FTP,port 80 for HTTP ,port 443 for HTTPS ,port 3306 for mysql etc... If admin keeps these ports open then they must secure it by configuring them properly.

So in this article we will configure SSH Server properly so that we can secure them from different attacks!

Here we will use two machines

1. Kali Linux (name as 1) // Attacker machine

2. Kali Linux on virtual box(name as 2) // where SSH Server is running


Securing SSH Server


IP of Kali Linux 2 is 192.168.43.105.

So here we will use hydra for bruteforce attack. Please see the “Beginners guide to bruteforce attack” to use hydra


With the help of hydra we are able to guess the right login password . So this is a big issue, because now we have root user’s password and we can connect to SSH very easily and can control a system remotely


Stopping Bruteforce attack


To stop bruteforce attack against SSH we are going to use two methods

1. Edit /etc/hosts.deny file

2. Using IP tables

Open /etc/hosts.deny file in Kali Linux 2 machine ,you can use any editor .

nano /etc/hosts.deny


Add the line sshd : IP Address to block

And save the file ,now restart the SSH Server by using the command sudo systemctl restart ssh

Now open your kali linux 1 machine and try to bruteforce as we have done in the starting of this article.


Now this time we can’t perform bruteforce attack!This is the first way to stop bruteforce attack against SSH Server.


Now 2nd method is by using the IP table:


Here admin can set iptable chain rules for a certain number of login attempts and if user crossed the defined number then the account will get locked for some time period as specified by admin

Type the given below command to set iptable chain rule for account lockout:

  1. iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

  2. iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

  3. iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "

  4. iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset

  5. iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

  • The first rule tells the system:TCP packets are going to come in, that will attempt to establish an SSH connection.  Mark them as SSH.  Pay attention to the source of the packet.

  • The second rule says: If a packet attempting to establish an SSH connection comes, and it's the fourth packet to come from the same source in thirty seconds, just reject it with prejudice and stop thinking about it.

  • The third and fourth rules mean: If an SSH connection packet comes in, and it's the third attempt from the same guy in thirty seconds, log it to the system log once, then immediately reject it and forget about it.

  • The fifth rule says: Any SSH packet not stopped so far, just accept it.

Please change the interface according to your setup and adjust hitconts and no. of seconds according to your need and remember that the second rule has a hitcount that is one higher than the ones following it -- this is a precaution to stop the packet from continuing down the chain of rules, so brute forcing won't spam your logs.

Now open your Kali Linux 1 machine to perform bruteforce attack.

As we can see that this time we are not able to find login password using bruteforce attack and it has prevented by stopping brute force after 2 attempts but will get activated after 30 seconds therefore admin should be locked the account for a long period of time.


Other Security methods for SSH :

  • Open /etc/ssh/sshd_config file in your machine where SSH Server is running and and find the line that says Port 22 and change it to Port 222 to redirect SSH to port number 222.


Save the file and restart the server by using the command that we have used earlier . Now to check if SSH Server is running on the defined port or not run the command

nmap -sV 192.168.43.105 as we can see now ssh is running on port 222 and by default hydra attacks on port 22 so now attacker has to think for sometime if the SSH is on port 22 or it is running on some different port.

  • Prevent Banner grabbing

This is the most important thing to do because there are chances that admin is using some older version of SSH Server with known exploits so attacker will take help of banner grabbing to know the version and will take further steps accordingly to exploit the server.