How to prevent SSH bruteforce, DOS attacks

[matdzi86]

Hi all,

Looking for a quick advice here - would anyone know if there is a way to prevent/limit number of SSH login attempts similar to the one you can do with IPtables? (let's say to only allow 3 consecutive attempts per minute)

And on the same note - is there an easy rule to control/limit/drop syn packets to prevent DOS type of attacks?

Regards,
Matt

[guest15389]

I don't expose my actual router on SSH, but I run SSH on a non standard port and I use fail2ban on my debian box for all the ports I do expose.

[phoenix]

Hi all,

Looking for a quick advice here - would anyone know if there is a way to prevent/limit number of SSH login attempts similar to the one you can do with IPtables? (let's say to only allow 3 consecutive attempts per minute)

And on the same note - is there an easy rule to control/limit/drop syn packets to prevent DOS type of attacks?

Regards,
Matt

Others will have their own opinion on this but I'd suggest you don't expose anything to the internet other than what is absolutely necessary, if you need to manage any server behind your firewall then use a VPN for access to your LAN.

[fabian]

you can use synproxy state in firewall rules to prevent SYN floods. Limits are possible too (look at the advanced settings in the firewall rules).

I am running SSH on the standard port in the internet on my VPS. I am only limiting the amount of new connections in my nftables configuraton. SSH is set up to reject password logins so all brute force tools are kicked out immediately and if they try to reconnect, they will be stopped by nftables soon.

[rgo]

Like to see a working example of that suggestion because I have the same issue about SSH login attempts and I would love to do something to block the ip address....

[fabian]

This is my nftables rule:
tcp dport ssh limit rate x/minute accept
where x is the amount of allowed connections per minute
If you want, you can add a reject rule with log set after it, which will send violations to journald/syslog and a tool like fail2ban may temorary/permanently block the IP.

[rgo]

I did not see fail2ban in packages or plugins.... how would one go about installing fail2ban if you only have installed opnsense....  If I had installed the normal freebsd OS and some how added opnsense on top of freebsd then I would be using something like sshguard...what I use on my servers that dose a good job at dealing with that stuff... like port scanning and ssh...

I with opnsense had a few simple tools that everyone needs in a section called KISS = keep it simple stupid

1. would be block port scanning
2. would be block ssh / telnet / etc hacking attempts
3. VoIP QOS so you can set 64k or 128k or just put all VoIP traffic at the front of the queue...
4. IPv6 only or IPv4 only or IPv6 & IPv4 config for WAN

That would make this opnsense very useful by a ton of people.  Me personally I like being at the OS Level.  When you are up at the Web Interface level lots of items are stripped to make the config uniform and easy to deal with.  I get that... but presets would go a long way to dealing with simple tasks that almost all need to happen.

[fabian]

We cannot see what happens inside a SSH connection on the firewall because it is encrypted. This is the reason we are having to rely on a proper configured server, which can handle the SSH issues by itself.

[rgo]

If the router is being port scanned or the router is being ssh then the router has access to all the packets since it is the end point.  Their for, opnsense should be able to notice those attacks and block them.  Kind of basic 101 firewalls from ones I have used in the passed.

I have not yet been able to figure out how to make suricata or opnsense block / ban IPv4 & IPv6 address that appear to port scan or try ssh the router in break in attempts.  I would figure this would be a very basic thing that is easy todo.  Have not found a easy solution to this problem with opnsense!

[fabian]

but the router is not the end point of ssh in my understanding of the original post. It is the server behind so it will see a crypto handshake and that was it - no content or at least a login name is visible.

For the anti port scan I would use a default catch all rule which will overload into a table which contains IPs, which are permanently banned. The problem is that this is a bad idea because somebody can spoof source addresses and lock you permanently out. It would be a DoS variant.

[Nnyan]

This is mostly b/c I am trying to learn and understand this stuff better but in part b/c i hope to drop my Cujo security appliance when the subscription ends (I like the automated reports/notifications and how it seems to block things that aren't picked up anywhere else)

https://fzuckerman.wordpress.com/2016/10/09/iptables-firewall-versus-nmap-and-hping3/
https://javapipe.com/iptables-ddos-protection

Alongside of that a friend of mine pointed me to https://secthemall.com  for some automated features.  Seems like these guides would help someone secure against scans of various types.  Just not sure how to implement this if I'm using OPNsense (or even if some/all of this is already being done).

[windozer]

would anyone know if there is a way to prevent...

How To Create SSH Keys With PuTTY to Connect to a VPS | DigitalOcean. This will prevent it.