DDoS on SSH port
Hi all,
I'm experiencing DDoS attack on my "non standard" SSH port.
Fail2ban is banning one IP per minute.
Is there a way to protect my Linode from DDoS on SSH port?
Thanks
7 Replies
is there someone on this forum? the old one was really better than this sort of chat.
Linode doesn't offer DDoS mitigation - but if you're only seeing roughly one IP address blocked by fail2ban per minute, that doesn't exactly qualify as a "denial of service" attack, as it's likely not impacting access to your Linode. Having fail2ban and general SSH security best practices in place should be enough here. If it really bothers you that much, you could update your firewall rules to only allow access to your SSH port from select addresses.
I am guessing that you are getting ssh login failures frequently.
You can mitigate the attack at L4 level.
Assuming that this is linux, install ipset.
ipset create ddosingips hash:ip ;
iptables -I INPUT -m set --match-set ddosingips src -j DROP
Create bash script, mitigatel4ddos.sh.
Replace 22 with your ssh port, in sport = 22
ss -n -4 state syn-recv '( sport = 22 )' | awk '{print $5}' | egrep -v '(Address:Port|127.0.0.1)' | cut -d':' -f1 | sort -n | uniq -c | awk '$1 > 10 {print $2}' | while read ipaddress; do ipset test ddosingips $ipaddress || { ipset add ddosingips $ipaddress ; echo "Blocked $ipaddress"; } ; done
Logic:
- We are looking at SYN request for ssh port
- We are finding hit count per individual IP address
- If total request per IP is more than 10, we are assuming that this is participating in the attack, and we block the IP
You can also break the line and test once on your environment, before blocking them.
chmod +x mitigatel4ddos.sh
watch -n10 mitigatel4ddos.sh
The above will constantly block every 10seconds.
Besides, have you tried changing ssh port?
I already have non conventional port, the ddos attack continue since days now.
they are using different ips, I don't know where they get so much IPs…
IPs are so different, I'm thinking to allow SSH only to IPs coming from my internet provider. it could be a good filter for now.
is there someone who knows how to filter IPs by provider?
I use dynamic IPs I can't allow only one IP.
You may also want to increase the bantime setting in Fail2Ban - this is /etc/fail2ban/jail.con under [sshd] section.
[sshd]
bantime = 12h
The "12h" syntax is for fail2ban version 0.10.2 that comes with Debian 10 ("testing").
Older versions of fail2ban need the number of seconds (3600 = 1 hour, etc.).
It won't help with first time IP sources, but will keep any already known offenders banned for longer.
Take a look at knockd for port knocking. Caution, it is known to crash. Use systemctl script with autorestart.
Using port knocking, you can have your ssh port open for your dynamic IP address.
Also, you may want to look at iplists.firehol.org.
Choose a list that can defend against attacks. Use ipset and iptables to block ips from the list.
Take a look at abuseipdb.com too. Not sure if they have a API to provide with list of reported IPs.