Using sshdfilter to secure an SSH server

Since moving my OpenSSH server down to its standard port number I have been hit daily by service scanning software and brute force password attacks. Gerry pointed out that sshdfilter can help.

sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.

It’s quick and simple to setup, I enabled email alerts to see what it gets upto and can report it is all working fine on my servers (Red Hat 9 customised).

It will block when triggered by:

  • An attempt to login as a user which doesn’t exist
  • After N failed attempts to login to an existing user account
  • If the incoming connection fails to provide an SSH version banner which is part of the SSH protocol, it’s most likely a port scanner or dumb client

    • The length of time the block remains in place is all configurable.

    About this entry

    You’re currently reading “Using sshdfilter to secure an SSH server,” an entry on Weblog of Michael Cutler

    Published:
    13th February 2006 / 11:02pm
    Category:
    Tools, Linux, Internet, Security

    Related Entries