Ssh – Solaris 11 sshd brute force protection. DenyHosts equivalent for Solaris 11

brute-force-attacksdenyhostssolarissshx86

I'm getting regular attempts to brute force ssh on a x86 solaris 11.1 server. On linux I use DenyHosts to block connections after a number of incorrect login attempts. Is there a similar package for Solaris 11.1 or any recommendations on other alternative ways to prevent brute force of ssh?

Best Answer

Any recommendations on other alternative ways to prevent brute force of ssh?

Change the port SSH runs on. Brute force attempts are largely done against port 22.

$ sudo grep ^Port /etc/ssh/sshd_config 
Port 10022

Limit the users that are allowed to connect, for example:

$ sudo grep ^AllowUsers /etc/ssh/sshd_config 
AllowUsers dannix
AllowUsers gene@192.168.3.*
AllowUsers bill@172.16.0.100

Disable root login:

$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config 
PermitRootLogin no

Use public key authentication rather than passwords.

Disable password based authentication (only do this if you use public key authentication):

$ sudo grep ^PasswordAuthentication /etc/ssh/sshd_config 
PasswordAuthentication no

Additionally, you can use firewall rules to restrict what remote hosts can access SSH on your system.

Related Solutions

Brute Force Prevention – Denyhosts vs Fail2ban vs Iptables

IIRC, DenyHosts will only watch your SSH service. If you need it to protect other services as well, Fail2ban is definitely a better choice. It is configurable to watch nearly any service if you are willing to tweak its configuration, but that shouldn't be necessary as the newer versions of Fail2ban include rulesets which are suitable for many popular server daemons. Using fail2ban over a simple iptables rate limit has the advantage of completely blocking an attacker for a specified amount of time, instead of simply reducing how quickly he can hammer your server. I've used fail2ban with great results on a number of production servers and have never seen one of those servers breached by a brute force attack since I've started using it.

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpattack --set
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix 'FTP REJECT: '
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset

these rules near or at the top of your ruleset will allow only three connections to port 21, from any given IP address, in a rolling 60-second window. To allow n, use --hitcount n+1; to use a bigger window than 60 seconds, increase --seconds 60.

Best Answer

Related Solutions

Brute Force Prevention – Denyhosts vs Fail2ban vs Iptables

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

Related Topic