How to protect a Linux system from brute force attacks

The most common type of attack on Linux servers are performed by script kiddies.

They have computers running that continuously scans the internet to find open  ports. They use a combination of PING, SSH, and mail scanning tools to find password vulnerabilities. Mostly SSH is attacked because the payload is huge. However, postfix-sasl and Dovecot (ie. SMTP and POP3/IMAP) ports are also frequently scanned.

There is no magic bullet for server security, but there are great tools to get you started and small things that you can do to protect a system. AWS goes as far to block PING by default. We like this idea but it can be hard to do performance and uptime testing.

The scrip kiddies try to find open ports, normally port 22, then they start sending a combination of well known usernames and passwords to the server until they get in. This is called a dictionary attack. They often the same technique for SMTP and POP/IMAP. Our course the SMTP and POP/IMAP ports are scanned so that they can send spam.

This type of attack is called a “brute force” attack and is extremely common. Go ahead, launch a new server with a public IP address on the internet, with minutes you will see attackers (script kiddies) trying to get in.

You can load something like “denyhosts” which is awesome, or you can just change port 22 to something else. Our all time favourite blocking software is called Fail2Ban which has beautiful integration with Webmin and Webmin Statistics.

For now let’s show you how to do change the SSH port from 22 to something else on CentOS 7:

ssh root@server
cd /etc/ssh

Now edit the config file:

vi sshd_config

VI is difficult to use, but if you just remember i for insert, “arrows” to move around, escape to escape from insert mode, and :wq! to save and quit, you can work it mostly.

In the sshd_config file Port 22 might be commented out, ie. #Port 22. Remember to remove the #
Change 22 to something else and do :wq!

The alternative is fail2ban. Fail2ban is totally incredible because it does what Denyhosts does but includes a huge amount more. The great thing about fail2ban is it’s integration with Webmin so administration is a breeze.

If you decide to use Fail2ban, be sure to fine tune your settings, the default of 5 incorrect attempts, 600 seconds before taking action, and 600 seconds of banning might not be enough to deter aggressive scripts. Hackers are clever so they space their attempts out more than 10 minutes because they know you might be using automated software to block them.

Happy hunting!

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top