1. Don't Use Telnet
Telnet is old, outdated, and much easier to break into than SSH. If you really need telnet for some reason, you can try blocking access from IP's other than localhost and tunneling the connection through SSH.
2. Don't Use A Common Login
These bots will usually start by trying common logins - such as the default login for the pi account on Raspberry Pi. If you use one of these logins, you are likely to be hacked shortly after exposing the SSH port to the internet.
3. Use SSH Key Authentication and Disable SSH Password Authentication
SSH key authentication is much more secure than password authentication. It is based off of the RSA (or optionally DSA, although RSA is default/preferred) cryptographic algorithm. RSA is an asymmetric cipher - with one private key and one public key. The private key stays on the device connecting to the server and is used to sign data. The public key is used to verify this signature. This is significantly better than passwords because the private key is stored locally and is (usually) unique.
In order to create an SSH keypair, run the ssh-keygen command. This command will ask you to encrypt the key with a password for an extra layer of security (in case the device with the private key is compromised). By default, it will put the public key in .ssh/id_rsa.pub and the private key in .ssh/id_rsa in your home folder. To copy the public key to the server, run:
ssh-copy-id username@example.org
You can also save the file to .ssh/authorized_keys in your home folder on the server and set the permissions to 400 if you need to do this manually.
Now, you should be able to ssh using your ssh key.
Now that you have an SSH key set up, you can disable password authentication by editing /etc/ssh/sshd_config and adding these lines (although some may already be present by default):
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
Now restart SSH, and your server should be better secured.
4. Use Fail2Ban
Whether or not you use password authentication, you should use Fail2Ban to protect your server. Fail2Ban is a python script which parses the server logs and blocks IP adresses that fail to log in a configurable amount of times. In Debian/Fedora/Ubuntu/most distros, it is available in repositories as fail2ban. You may also want to install sendmail for it to email you about failed logins.
Now open up /etc/fail2ban/jail.local
In it you want to set the following options:
- backend - what method to use to tell Fail2Ban when the logs have been modified. If you are unsure, you can use backend = auto to leave the choice up to Fail2Ban
- bantime - how long to keep an IP address banned (in seconds). This defaults to 600 (10 minutes) but I use 86400 (1 day) because some bots will try again as soon as they are unblocked.
- maxretry - the number of failed login attempts in the specified amount of time to allow before banning. Defaults to 3.
- findtime - the amount of time to keep track of failed login attempts in seconds. If you wait for this amount of time before attempting to login again, Fail2Ban will not ban you. Defaults to 600 (10 minutes).
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# mail-whois[name=SSH, dest=address@mailserver.com]
logpath = /var/log/auth.log
maxretry = 5
Uncomment the mail-whois line and fill in your email address if you would also like Fail2Ban to send you info about the attacks (this needs sendmail installed).
Now, reload Fail2Ban and it will automatically protect your server!
