Read the logs of Linux and found a password cracking attempt. SSH password cracking refers to the process where an attacker uses brute force techniques to guess SSH usernames and passwords. This typically involves using specialized tools or scripts to attempt to guess the password for SSH accounts from a list of possible passwords in a dictionary file.
Attackers may use this technique to gain unauthorized access and obtain sensitive data or perform malicious activities on the system.
Due to the configuration of strong passwords, the attacker was temporarily unsuccessful.
To counter SSH password cracking attacks, the following measures can be taken:
- Use an intrusion detection system like fail2ban to detect brute force attempts and block the attacker's IP address in the firewall.
- Switch to public key authentication for SSH and disable password authentication.
fail2ban#
Introduction#
fail2ban is an open-source intrusion defense tool primarily used for detecting and responding to malicious attacks against computer systems. It monitors log files to identify possible attack behaviors and blocks access to the attacker's IP address or hostname based on predefined rules.
The main functions of fail2ban include:
- Prevention of brute force attacks: fail2ban can monitor log files of services like SSH, FTP, SMTP, POP3, etc., and detect brute force attack behaviors. Once such behavior is detected, it will attempt to block the attacker's IP address in the firewall.
- Prevention of denial of service attacks: fail2ban can monitor network traffic and detect DDoS attacks. Once such attacks are detected, it will attempt to block the attacker's IP address in the firewall.
- Real-time monitoring: fail2ban can monitor system log files in real-time and trigger alerts and blocking actions based on rules. This helps in timely detection and response to new attack behaviors.
- Log analysis: fail2ban can assist administrators in analyzing system log files, identifying potential security threats, and taking appropriate measures.
In summary, fail2ban helps administrators protect their systems from malicious attacks and unauthorized access.
Operation#
So, fail2ban can be used to implement this. Here are the steps to implement it:
- Install fail2ban, using CentOS as an example:
sudo yum install epel-release -y
sudo yum install fail2ban -y
- Edit the fail2ban configuration file:
sudo vi /etc/fail2ban/jail.local
Add the following content:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 86400
This configuration will enable fail2ban to monitor SSH login attempts and ban the attacker's IP address for 1*24 hours if they fail to login 3 times.
- Start the fail2ban service:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Now, if the same IP address fails to login 3 times, it will be banned for 1*24 hours. If you want to modify the maximum retry count or ban time, please modify the above configuration file and restart the fail2ban service.
SSH Public Key Authentication#
Switching SSH authentication from password-based to public key-based authentication has several benefits:
- Increased security: Password-based authentication carries the risk of being brute-forced as attackers can use brute force techniques to guess user passwords. Public key-based authentication, on the other hand, uses asymmetric encryption technology and is harder to guess than passwords, making it more secure.
- Convenience: Once SSH public keys are set up, you don't need to enter passwords every time you log in, making the login process faster and more convenient. Additionally, when accessing multiple remote servers, you don't need to remember multiple passwords and can easily authenticate yourself.
Changing SSH Authentication from Password to Public Key Authentication#
To change SSH authentication from password-based to public key-based authentication in CentOS, follow these steps:
- Generate a public/private key pair
First, generate a public/private key pair on your local machine. You can use the following command to generate a public/private key pair:
ssh-keygen
This command will prompt you to enter a name and location for the generated key files and generate a random encryption passphrase for your key pair. By default, this will create files named id_rsa.pub and id_rsa in the ~/.ssh/ directory. Make sure to copy the public key file (id_rsa.pub) to the target CentOS server.
- Confirm that public key authentication is enabled on the target server
Next, you need to ensure that public key authentication is enabled on the target server. Open the /etc/ssh/sshd_config file and find and ensure that the following line is not commented out:
PubkeyAuthentication yes
If this line is not commented out, skip this step.
- Add the public key to the authorized keys file on the target server
Add your public key file to the authorized keys file on the target server. Open the ~/.ssh/authorized_keys file and copy the contents of your public key file (all the text in the id_rsa.pub file) into this file.
If the ~/.ssh/authorized_keys file does not exist, create it.
- Restart the SSH service
After completing the above steps, restart the SSH service to apply the changes. You can use the following command to restart the SSH service:
sudo systemctl restart sshd
Now, you should be able to connect to the target CentOS server using public key authentication without needing a password.
Disabling SSH Password Authentication and Allowing Only Public Key Authentication#
- Ensure that public key authentication is enabled
First, ensure that public key authentication is enabled. Open the /etc/ssh/sshd_config file and find and ensure that the following line is not commented out:
PubkeyAuthentication yes
If this line is not commented out, skip this step.
- Disable password authentication
To disable password authentication, add the following line to the /etc/ssh/sshd_config file:
PasswordAuthentication no
This will disable authentication via passwords. Note that if you do not use public key authentication, you will not be able to connect to the SSH server.
- Restart the SSH service
After completing the above steps, restart the SSH service to apply the changes. You can use the following command to restart the SSH service:
sudo systemctl restart sshd
Now, the SSH server will only allow connections using public key authentication and will not allow connections using passwords.
Other sshd_config options#
ChallengeResponseAuthentication#
When password authentication is disabled in SSH, if an attempt is made to connect using a password, the system will display a prompt indicating that the user should use another authentication method. If you don't want to see this prompt, you can follow these steps:
ChallengeResponseAuthentication no
MaxAuthTries#
MaxAuthTries is a parameter in the sshd_config file that specifies the maximum number of authentication attempts allowed during the authentication process. By default, this value is set to 6, meaning that if a user fails more than 6 times during the login process, the connection will be terminated.
The main purpose of this parameter is to increase system security and prevent malicious attackers from gaining access to the system through brute force password cracking, etc. If you set this value too low, users may be locked out due to input errors, and if you set it too high, the system may be more vulnerable to attacks.
You can change the value of MaxAuthTries according to your needs. For example, if you are concerned about someone attempting a brute force attack on your system, you can lower it to 3 or 4. If you have a strong password policy and don't want users to be locked out due to input errors, you can increase it to 10 or more.
Note that after modifying the value of MaxAuthTries, you need to restart the ssh service for the changes to take effect. You can use the following command:
sudo systemctl restart sshd