Hackers are trying to log in to my server. Persistent cusses, they’re jiggling the door handle via SSH 17 times per second, 8 attempts per second from Amazon AWS servers. Searching for advice from the usual suspects lead to a recommendation to use fail2ban. I installed fail2ban, ran it for several days, and it blocked one IP address.
Coordinated attacks from multiple servers evade fail2ban
Briefly, fail2ban looks for multiple failed login attempts from an IP address. Too many and fail2ban writes a rule to the iptables firewall and the IP address is blocked. Unfortunately hackers use multiple servers which evades fail2ban.
Let’s say I have 3 servers and I’m attacking someone else’s server. The target server is running fail2ban configured to block an IP address after 3 login attempts. If I have 3 servers under my command that gives me 9 login attempts before they’re blocked. Already fail2ban’s rules have been weakened.
If I have 100 servers that’s 300 login attempts. And if I use virtual servers from Amazon AWS, after they’ve all gotten blocked by fail2ban, I can delete the virtual servers with a mouse click and request 100 more servers from AWS, all with fresh IP addresses that haven’t been blocked yet. So I get another 300 attempts.
The solution: block all SSH traffic
I’m a solo developer so only one person should be SSHing into my server: me. The simple solution is to set iptables to block SSH login attempts from all IP addresses except my home/business IP address.
Whitelist my IP address:
sudo iptables -A INPUT -p tcp -s YOUR.IP.HERE --dport 22 -j ACCEPT
Block all IP addresses trying to use port 22, the default SSH port1:
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
Display the rules for review:
sudo iptables -S
That’s it. Now all SSH attempts are dropped. Simplicity.
Iptables is the linux firewall. It’s easy to learn and built like a tank.
I could reconfigure sshd to use a different port, but I’d still have to use iptables to block SSH attempts to be safe. ↩