What is SSH Attack and How to Protect Your Website

Cmatrix software for Linux

In this post. I will demonstrate how SSH attack works and how to prevent your server from it.

SSH attack by definition is to try to access an internal server in the local or wide network. The person who went to access the server have many intentions to do, like stealing vital data, destroying server and demanding money to restore all the data on it.

The term SSH brute-force is one of many types of SSH attacks. SSH brute force is a username and password guessing mechanism to gain access to enabled secure shell users. In the internet, servers expose their default SSH port number (22) to the public and use a common usernames and passwords for either access convenience or lack of expertise in the information technology. If the attack is successful, the hacker may gain root access to the machine, harvest data and destroy the machine and/or inject SSH brute-force bot to attack other local servers or online servers.

How to Protect Your server from SSH attack?

Here is a list of how to protect your server from SSH attack.

Update Your server.

Yes updating your server to the latest version is one of the key factor to prevent SSH attack. Espcecially if you are dealing with an out of date server operating system. You need to update the SSH server.

In debian distro, use the following command to update your server to the latest version

me@jessy# apt-get update && apt-get upgrade -y

Change OpenSSH port number

Head to /etc/ssh directory

# cd /etc/ssh

Open OpenSSH configuration, but before that, make a backup:-

# cp sshd_config sshd_config.backup

Then open the sshd_config with your desired editor, I prefer Vim:-

# vi sshd_config

Change the following line:-

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

To

Port 842
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Change the port number according to what you need. I chose 842, it depends on you. Then restart the OpenSSH service

me@wheezy# service ssh restart 

Use VPN (Virtual Private Network)

This is one of many solutions available to mitigate any problem against SSH attack, once and for all. Is by using VPN.

Client (YOU) -----> VPN Server (Gateway) <----> (Local Network) <----> ( Your Server )
Local IP | 10.128.0.5 | |10.128.0.1/24| | 10.128.0.10 |
Public IP | Something | | Something |

Edit the following configuration to allow local network access. To know the static IP of your local network, use ifconfig command to get your local IPv4 address. 

me@wheezy $ ifconfig
ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460
inet 10.128.0.10 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::4001:aff:fe80:2 prefixlen 64 scopeid 0x20<link>
ether 42:01:0a:80:00:02 txqueuelen 1000 (Ethernet)
RX packets 1841401 bytes 279033542 (279.0 MB)
RX errors 0 dropped 0 overruns 0 frame 551261
TX packets 3925046 bytes 541319731 (541.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 26850 bytes 10265384 (10.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26850 bytes 10265384 (10.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

In sshd config, change the following:-


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

TO

#Port 22
#AddressFamily any
ListenAddress 10.128.0.10
#ListenAddress ::

Then restart ssh server.

You can find many VPN solutions, one of them is openvpn-install.

Disable Password login on OpenSSH and Use SSH key Instead

Before disable it. Generate your default SSH key from your computer. It is very simple, if you are using a Linux distribution, write the following code:-

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ploto/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ploto/.ssh/id_rsa.
Your public key has been saved in /home/ploto/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OCpNlym9v5pnkE3p6SytfagnWzpVQKFq3iw+o/WLXf0 ploto@someserver
The key's randomart image is:
+---[RSA 2048]----+
|       .o.       |
|       ..        |
|      .  o       |
|     o +o .      |
|    = B=So       |
|   = *oo=.       |
|  . * +*o..      |
|   +o=+BO ..     |
|  ..oo@&+o  E    |
+----[SHA256]-----+

If you are using a Windows Operating System, you can use Putty Key generator from the start menu, or download it from Putty Official Website

Then copy that key to your server

$ ssh-copy-id dorango@my-server
dorango@my-server's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'dorango@my-server'"
and check to make sure that only the key(s) you wanted were added.

Then open sshd_config and edit the following line

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

To

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

Then restart your OpenSSH server.

Disable OpenSSH for Internet Wide

YES disable it. No more SSH brute-force. This is the last thing you wanna do right, YES. because many cloud service providers offer a secure tunnel to your server (VPN – Virtual Private Network), you need to know your private subnet. Let’s say your cloud local network is 192.168.1.0/16, you can authorize SSH access to this subnet and block internet-wide SSH connection. Change the firewall rule to allow SSH port to certin address

# ufw allow from 192.168.1.0/16 to any port ssh

Disable OpenSSH forever

This is the last thing to do, I don’t recommend it.

# systemctl stop sshd
# systemctl disable sshd
# systemctl mask sshd