How to stop ssh being hammered by script kiddies

If you ever look at your server logs you will see hundred (if not thousands) of attempts by the script kiddies trying to log in to ssh. On my main linux server I get around 200 attempts a day. Below is a part of a typical days pounding.

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host 64.183.196.194 has been blocked via wrappers with string: "ALL: 64.183.196.194"
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host 125.22.246.140 has been blocked via wrappers with string: "ALL: 125.22.246.140"
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 is already blocked Ignoring
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 is already blocked Ignoring
Sep 12 16:04:44 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: 82.138.34.109/82.138.34.109 to TCP port: 22
Sep 12 16:04:44 226 portsentry[2618]: attackalert: Host 82.138.34.109 has been blocked via wrappers with string: "ALL: 82.138.34.109"

As you can see the kiddies are trying to ssh connect on port 22. One of the simplest things you can do to improve ssh security is to move the ssh port away from the default port 22 and close port 22 (why you are are at you might as well close the telnet port 23).

To do this open the sshd_config file (I like to use nano) and change the default port from 22 to anything else that is not being used (under 1024 is a good idea). The sshd_config file is likely to be located in /etc/ssh but if not look for it by using find (ie use “find / -name ‘sshd_config’ “.

Restart sshd and log in using ssh -p [new port] user@serveraddress (eg ssh -p 999 daniel@tillett.com). This will solve most of the problems but it is a good idea to refuse all connections on port 22. I will leave how to do that for another post.

I should add this is not a substitute for security, but it does stop your logs from being filled with garbage.

Leave a Reply

Your email address will not be published. Required fields are marked *