Defending Against SSH Attacks

My hope is that the information here may be useful to some people somewhere.

Some people like to be able to access files on their home computer from anywhere. One of the most secure ways to do this is by using SSH as the transport mechanism. Of course, no matter which transport mechanism you choose, you have to open up some part of your desktop computer at home to the Internet... and the Internet is not a perfect, happy place where everyone trusts everyone.

In fact, it is downright unnerving. Most people who have a server running at home have realized that their computer gets attacked very frequently. If you can go a day without someone trying to guess your password, you are lucky.

So it comes down to defense. How do you defend against attacks? There are a few basic approaches:

  • Don't use a password that exists in any dictionary
  • Limit the usernames that are allowed to log in (for example, do not allow root to log in to the machine directly)
  • Blacklist the whole Internet, except for the addresses where you know you will be
  • Use an adaptive firewall
  • Configure the server to operate on a non-standard port

For whatever reason, I decided to use an adaptive firewall. Also for whatever reason, I decided to write my own. It's not that I don't like any of the public ones - I was just in a programming mood, and the program itself is simple.

Very simple, actually. All it does is parse /var/log/secure.log looking for authentication failures, extract the associated hostnames, and instruct the system's firewall to deny all access from those hostnames. It took about 30 lines of code, total. Additionally, the log entries are so simple that I didn't even need to use Regular Expressions for searching. The only trick after that is getting the program to run in conjunction with SSH, which launchd handles with grace.

Then came the results...

Initially, the program found about a hundred addresses to block. This continued for about a week, at which point a distributed attack came by. Over a period of a few days, the firewall blocked over 2000 addresses.

After the storm, life moved on. Only this time, authentication failures only came by every once in a while. And so it continues today.

Overall, this has been interesting. I did not have any statistics software running before all this, so it is hard to tell in what way and how much the adaptive firewall is helping, however it is very clear that the security log is not scrolling authentication failures anymore. The firewall blocks addresses approximately according to a logarithmic function that reaches about 30 after a week. I also have a log of all the hostnames that get blocked, which I forward to my ISP every once in a while.

The program I wrote is available to those who ask, however please note that it is not as robust as some of the public implementations.

March 5, 2010: A distributed attack came by. 500 addresses got blocked in 20 hours. Things returned to normal after that.


If you have any comments, feel free to email them to me and I'll post them here.