How Can You Protect Yourself?

The only winning move is not to play.

So... What can you do to protect yourself? There is no one single thing you can do other than turning off ssh to protect yourself, so it's all about "Defense in Depth. This is a layering approach of preventitive measures so that if one layer fails, then the next layer stops them.

1) Don't play the game! If you don't have to ssh into a server, (which probably means a Linux server running at home), then disable ssh. If you're not running ssh, then they can't attack you.

2) If you have to run ssh, and there are only a few people logging into it, then run ssh on a different port. This obviously won't work if you have more than 2 or 3 people logging into the box as somebody will forget what port to use and will raise a ruckus. As can be seen at Port 2222 ssh attack analysis, the bad guys rarely attack ports other than port 22.

3) No matter what, don't allow root to ssh into your server. Make sure your /etc/ssh/sshd_config has "PermitRootLogin no" set.

4) ssh is "tcpwrappers" aware. That means you can use the files /etc/hosts.allow and /etc/hosts.deny to tell ssh to accept only inbound ssh connections from certain hosts, and then deny all other inbound connections.

5) If you can't use hosts.allow and hosts.deny to restrict inbound ssh from known hosts, then you can install software on your server to actively block inbound ssh attempts that appear to be attacks. Two of the most popular are DenyHosts and Fail2Ban. Both of these still use deny.hosts to block inbound ssh from known "bad hosts".

6) If you have "enough" hosts, then you should probably purchase an Intrusion prevention systems.

7) Don't use stupid passwords. Passwords like "password", "admin", and "123456" and their assorted variations are the top passwords that ssh brute force attacks try.

8) Longer passwords are better than shorter passwords. As can be seen on Password Analysis of Today's Passwords, 91 percent of the passwords they tried were 12 characters or less.

9)Don't keep the default passwords for any software you install. Looking at Google for the passwords tried shows that many of them are default passwords for one piece of software or another.

10) Don't keep the default passwords for any hardware (including routers). They keep trying "admin" accounts with the password "admin" which was a default for older home routers.


LongTail Copyright 2015 by Eric Wedaa, under GPLV2