I am having a lot of failed ssh authentication requests for the past two days, from various service providers. It seems somebody is intent on breaking into my computer.
I am using Ubuntu on a Dell laptop, I need to have sshd running for work purposes, so shutting it off is not an option.
I blocked all the ips off for the moment, and crippled the attack. What is the best response to such a situation?
It's very common among public servers or a host. I'm going to assume that your host is a server which is using Public IP i.e can be accessible from anywhere. Here is some precaution:
Change default port: The ideal idea for this kind of situation is to move default port (22) into higher port. You can do that by changing the configuration file located at '/etc/ssh/sshd_config' as following,
$ vi /etc/ssh/ssh
And make the following change,
# Port 22
Port 23415
Define specific IP: You always can define specific IP of the host from which you usually ssh to your laptop and drop all other requests with IPTABLES with the following commands [here I am assuming you are using port 23415 in place of 22],
Drop IP's trying to connect in port 22
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
Whitelisting IP's: You can add multiple IP.
sudo iptables -A INPUT -p tcp -s YOUR.IP.HERE --dport 23415 -j ACCEPT
sudo iptables -A INPUT -p tcp -s YOUR.Another.IP.HERE --dport 23415 -j ACCEPT
Drop Other IP's request:
sudo iptables -A INPUT -p tcp --dport 23415 -j DROP
Save new rules:
sudo iptables-save
Using SSH securing app: There are plenty of SSH securing app available like Fail2ban, Denyhost, Sshguard etc.
This is puzzling. How do people figure out my local ip-address to ssh?
– Pratyush Rathore Jun 20 '17 at 05:17Why is it important?
– Pratyush Rathore Jun 20 '17 at 05:18