Tuesday, April 6, 2010

Blocking SSH Brute Force Attack

Stop looking for unreliable solution like fail2ban to block someone from brute-forcing the SSH login to your server. If you configure your sshd_config correctly, blocking brute-force attempt is remarkably simple. And this will not obstruct your ability to login interactively by entering a password. The method works on most systems. Simply make sure the following setting are written in /etc/sshd_config:
• UsePAM yes
• ChallengeResponseAuthentication yes
When you use command line ssh to login, the ssh client typically uses keyboard-interactive authentication, rather than password authentication. Even PuTTY correctly falls back to keyboard-interactive authentication mode when you disallow password authentication. I don't know of any instance where password authentication is actually used, except by bots to perform brute force attack.

I discovered this because I noticed the difference of the log entry written to /var/log/secure.log when someone tries the brute force attack, and when I typed in the password incorrectly. If I tried the wrong password, the log looks like this:

Apr  6 20:00:51 kawazu sshd[6163]: Failed keyboard-interactive/pam for invalid user oracle from 128.197.10.236 port 54021 ssh2

But when a bot does it, the log looks like this:

Apr  6 18:14:11 kawazu sshd[5172]: Failed password for invalid user oracle from 202.10.72.148 port 54865 ssh2

This is an indication that a scriptable mechanism, like Paramiko, is used to conduct a brute-force attack.

That said, after configuring sshd_config the way I mentioned above, if you need to allow Paramiko to connect to your server, you will have to use publickey authentication.