There are different solutions. The best one is using RSA authentication that uses public/private keys to authenticate users.
Check this great manual for different approaches (RSA authentication included): http://www.la-samhna.de/library/brutessh.html
I'm using the 3rd solution on my server because I don't want to make it complicated for my non-technical users: using iptables
to limit the number of connections per minute that makes bruteforce attacks inefficient and ineffective.
Here is the solution I'm using:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
As mentioned here: this will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.
As stated in the mentioned guide, it's better to use a white list to separate trusted users from these rules:
iptables -N SSH_WHITELIST
then add trusted hosts:
iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT
and after that make the rules:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
By default, the OpenSSH server logs to the AUTH facility of syslog, at the INFO level. If you want to record more information - such as failed login attempts - you should increase the logging level to VERBOSE.
It's recommended to log more information if you're curious about malicious SSH traffic.
To increase the level, find the following line in your sshd_config:
LogLevel INFO
and change it to this:
LogLevel VERBOSE
Now all the details of ssh login attempts will be saved in your /var/log/auth.log file.
More info at: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
Best Answer
All login attempts are logged to
/var/log/auth.log
.1. Filter for brute-force interactive SSH logins
Open a terminal, and type the below; if it's longer than 1 page you will be able to scroll up and down; type
q
to exit:Here's a real example from one of my VPSs:
2. Look for failed connections (i.e. no login attempted, could be a port scanner, etc.):
Use this command:
Example:
How to reduce failed/brute-force login attempts