Protecting my public Linux host from brute force SSH attacks

Oh my god!

I was looking in the logs of my VPS that I have rented and publicly available on Internet. Trying to solve some problems I have when opening SSH connections I can see that my Linux hosts where my webs are hosted, as this one, is being victim of brute force attack.

Apparently someone with an automatic tool is trying different combinations of users and passwords to gain access by SSH to my server.



This is the log /var/log/auth.log, being updated continually as the attacker is trying to guess the user and password

To solve it, I am going to implement some of the recommendations of this post from RimuHosting

In particular

  • Run OpenSSH on a non-standard port
  • Create a user with a strange name to connect to this server and configure OpenSSH to only allow this user to connect
  • Don't allow passwords to be used. We will use SSH keys to login in our server.

Create a user with a strange name in our VPS

As root, once logged in the VPS:

$ useradd -m superbizarreuser -s /bin/bash -G sudo,www-data,wheel

Create SSH keys to login in my work computer

First, in my computer, used for my projects and from where I keep updated the VPS I will create a pair of public/private ssh keys. And copy the public key on my VPS (from now tech.ciges.net)

ciges@hppro3300:~$ ssh-keygen -t rsa
ciges@hppro3300:~$ ssh-copy-id superbizarreuser@tech.ciges.net

(I use a computer called hppro3000 with the ciges user)

If everything was OK then I can login in the VPS using the keys

ciges@hppro3300:~$ ssh superbizarreuser@tech.ciges.net

Secure OpenSSH daemon

In this example I am going to configure OpenSSH to:

  • Use the port 12345
  • Limit the connection to the user superbizarreuser and only with SSH keys, no password is allowed.

To do this I have added the following lines to /etc/ssh/sshd_config

Port 12345
# Only allow a special user
AllowUsers superbizarreuser

# Only allow authentication with SSH keys
PasswordAuthentication no
UsePAM no
ChallengeResponseAuthentication no

and restart the server

systemctl stop sshd
systemctl start sshd

Configure ssh to connect to the VPS with the new user and port

Then, in my work computer, to make the connection quick and easy I will configure the SSH connection to the server tech.ciges.net to use always the new port and user.

Adding the following lines in the .ssh/config file under my user home.

Host tech.ciges.net
    User superbizarreuser
    Port 12345

Then I can open a SSH connection simply with

ciges@hppro3300:~$ ssh tech.ciges.net

I have still to open the firewall used in my computer (UFW) to allow using the new port

ufw allow out 12345

And be really careful to not loose the private key (it's the only way to connect to the server now).

Done!


This post is part of a serie of posts: "DevOps home lab". You can read them in the following links: