Protecting OpenSSH

There are several different methods of protecting OpenSSH from various different attacks. This article is intended to outline the various methods.

Swatch
Swatch is a Perl-based system log watcher.

DenyHosts
DenyHosts is a Python script analyzing the OpenSSH server log determining if hosts are attempting to break into your system. DenyHosts also determines which user accounts are being targeted and keeps track of the frequency of attempts from each host.

iptables
You can use iptables to make sure the right ports are accessible to the right people at the right time. It is very flexible.

sshdfilter
sshdfilter executes SSHd itself, and so blocks can be initiated instantly (the program is constantly monitoring the log messages produced by SSHd). It also logs all attempts and a supplied Logwatch script can give you periodical summaries. If it discovers an attack attempt (by default, one attempt to log on with an invalid username, or three attempts to log on with a valid username), it creates an iptables rule which blocks the IP address of the attacker from connecting to the SSHd port.

fail2ban
Fail2ban scans log files, like or, and blocks incoming connections from IP adresses that cause too many authentication failures. It updates firewall rules or hosts.deny to do so.

Use Public Key Authentication
Public Key authentication is practically impossible to brute force in any reasonable amount of time. Using public key authentication and disabling normal password authentication can significantly increase security. More information about setting up public key authentication can be found here.

Changing the listen port
By default OpenSSH listens on port 22. Many automated attack tools will only try connecting to this port. You can change the listen port by using the "Port" directive in /etc/ssh/sshd_config. The disadvantage of this is that you will have to specify the port number every time you want to connect. Also note that many attack tools will scan the entire port range (and will therefore find your server), so this method is of limited use, and is normally best combined with other methods.

Port Knocking
Port Knocking prevents anyone from connecting to the server unless they know the right knock. This works by setting your firewall to deny all connections to the OpenSSH port (normally 22) by default. Then when somebody makes the right "knock" the firewall is automatically configured to allow them to connect (note that they still need to correct authentication details to be able to log in).

Rate Limit New Connections
You can use the following iptables rules to reject more than a certain number of connections per minute. This won't prevent brute force attacks, but it can slow them down.

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

These solutions are both insufficient and harmful. They are insufficient because attackers are home free as long as they keep attacks just above the minimal rate enforced by the firewall; logs keep spoiled with huge volumes of irrelevant entries; no backlog is available for responding to exceptionally insisting attackers. They are harmful because they degrade the quality of service for legitimate users, who have to withstand the same restrictive policies meant to thwart attackers. For example, performing many frequent SSH connections is common when using SSH as a tunnel for transferring or synchronizing files, and the hiccup is even bigger with services like imap or http, where multiple parallel connections are ordinary. Sshguard wants to stop attacks securely, while being transparent to legitimate users.

Turn on the SSH Daemon from PHP
You can disable SSH per default (even not having the SSH server running) and enable via a Web interface (i.e., via PHP).