- brute force attack
A password and cryptography attack that does not attempt to decrypt any information, but continue to try a list of different passwords, words, or letters. For example, a simple brute-force attack may have a dictionary of all words or commonly used passwords and cycle through those words until it gains access to the account. A more complex brute-force attack involves trying every key combination until the correct password is found. Due to the number of possible combinations of letters, numbers, and symbols, a brute force attack can take a long time to complete. The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer it can take.
Although a brute-force attack may be able to gain access to an account eventually, these attacks can take several hours, days, months, and even years to run. The time to complete an attack depend on the password, the strength of the encryption, how well the attacker knows the target, and the strength of the computer(s) used to conduct the attack. - SSH: Short for Secure Shell, SSH (developed by SSH Communications Security Ltd.) is a secure protocol for remote logins. Using an SSH client, a user can connect to a server to transfer information in a more secure manner than other methods, such as telnet. The image to the right is an example of how an SSH session, which uses a command line interface, may look.
Prevent dictionary brute-force attacks
- Recommend that you use ECS or other VPS webmasters do not set the password length is lower than 12, but also digital, uppercase and lowercase letters, symbols, mixed composition, to ensure security.
Advantages: do not need to operate the server, you can directly in Ali cloud and other VPS page change.
Disadvantages: If a hacker perseverance, sooner or later, can try out. - The SSH port terminal services as modified by the 22 other ports to prevent direct hacker attacks your server password guess solution
First, modify the configuration file
vi /etc/ssh/sshd_config
Find # Port 22 section, here is the default use of port 22, modified as follows:
Port 22
Port 21212
Then save and exit
/etc/init.d/sshd restart
Such SSH port will work simultaneously with 22 and 21212.
Now edit the firewall configuration:
vi /etc/sysconfig/iptables
Enable port 21212
/etc/init.d/iptables restart
Now use the ssh tool to connect to the 21212 port to test the success. If the connection is successful, then edit the sshd_config settings, will be inside the Port 22 deleted. The reason is set to two ports, the test is successful and then close a port, is to modify the way conf in the process, in case of dropped lines, broken network, misuse and other unknown circumstances, but also through another port connection Up debugging, so as not to occur on the connection does not bring more trouble.
Note: The port value ranges from 0 to 65535 (2 to 16), and 0 to 1024 is the port used by the system, such as port 80 of the http service.We can use the port range: 1024 to 65535 (not more than this range), this is the socket specified. Use the second method also need to set the password for the method of a said, so that the site server more secure.
Advantages: safety coefficient Disadvantages: cumbersome operation.
Other Options
#1: Disable OpenSSH Server
Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart
Use SSH Protocol 2
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Protocol 2 |
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300 ClientAliveCountMax 0 |
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.
Disable .rhosts Files
Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
IgnoreRhosts yes |
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
Disable Host-Based Authentication
To disable host-based authentication, update sshd_config with the following option:
HostbasedAuthentication no |
Disable root Login via SSH
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
PermitRootLogin no |
However, bob made excellent point:
Saying “don’t login as root” is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob
Use Public Key Based Authentication
Use public/private key pair with password protection for the private key.
Disable Empty Passwords
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
PermitEmptyPasswords no |
Thwart SSH Crackers (Brute Force Attack)
Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:
- DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
- Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
- Fail2ban is a similar program that prevents brute force attacks against SSH.
- security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
- security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
- security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
- security/sshblock block abusive SSH login attempts.
- Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
- IPQ BDB filter May be considered as a fail2ban lite.