Public network virtual machine sshd anti brute force attack

Brute force bot attempts to use various user names and passwords to crack. For example, I found the following user names under / var/log/secure, and they try to use ssh to log in to my public virtual host.

sed -n '/Jan 19/p' /var/log/secure | sed -n '/invalid user/p' | awk '{print $(NF-1)}' | sort | uniq

0
0101
1234
53457
access
admin
anonymous
banner
butter
cisco
dup
ec2-user
flora
ftpuser
guest
Management
monitor
pi
PlcmSpIp
sergey
service
sheffield
sshusr
student
support
teamspeak
test
ubnt
user
utsims
uucp
vinci
vivek
VM
weblogic

There are three ways to prevent brute force cracking.

1 only public key can be used for login

Save the ssh public key of the local ssh client in the home directory of the remote host. . ssh/authorized_keys file.
Then set the sshd service configuration on the remote host:

/etc/ssh/sshd_config

Change configuration to

PubkeyAuthentication yes
PasswordAuthentication no

2 modify SSH daemon port

You also need to modify the / etc / SSH / sshd? Config file, which defaults to:

Port 22

Change to

Port 1234 # Find a port number by yourself

Then open the firewall, disable the default ssh port, and release the port just configured:

systemctl start firewalld
firewall-cmd --permanent --remove-service ssh
firewall-cmd --premanent --add-port 1234/tcp

Finally, take the firewall into effect and restart the sshd service:

firewall-cmd --reload
systemctl restart sshd.service

3 limit the number of failed logins

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 22 -m state --state NEW -m recent --set
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
firewall-cmd --reload

Reference resources Here

Or:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl  --name SSH -j DROP

Reference resources Here

Tags: ssh firewall iptables Weblogic

Posted on Fri, 01 May 2020 21:36:08 -0700 by bobbybrown