The reason seems that the IP address of my server has been added to a bot network which tries to hack servers using SSH brute force attacks. As far as I know such bot networks are built up  with Viruses and Trojans. I think there is no reason why your server may have also been added to such a list, somehow IP addresses seem to added.

But the question is how to defend against such brute force attacks from bot networks?

Known Methods

• Install a tool like denyhosts
• Always keep the SSH daemon up to date!
• Move the SSH port from 22 to some other port
• Disable password authentication and use key authentication
• Slow down the amount of connections from the same IP using iptables and module “recent”
• Open the SSH port after a trigger on a different port using iptables

I think there is one additional easy method to defend against such attacks. Why I think so? Read on..

Another Simple Method

When checking the auth.log we see that the user names of the attacks are taken from a dictionary:

Failed keyboard-interactive/pam for invalid user aderes from 195.xxx.xxx.xx port 39566 ssh2
Failed keyboard-interactive/pam for invalid user aderyn from 203.xxx.xxx.xx port 44099 ssh2
Failed keyboard-interactive/pam for invalid user adi from 78.xxx.xxx.xx port 42748 ssh2
Failed keyboard-interactive/pam for invalid user adia from 89. port 51028 ssh2
Failed keyboard-interactive/pam for invalid user adiel from 217. port 33861 ssh2
Failed keyboard-interactive/pam for invalid user adila from 77. port 52867 ssh2
It seems that the bots are not adding digits to the user names. So I think one easy method to defend against such attacks is:

• add at least one digit to user names on your server if you have the possibility

And definitely never ever add a user “admin”. In my logs the user “admin” is always used for brute force attacks:

Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 39711 ssh2
Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 55493 ssh2
Failed keyboard-interactive/pam for invalid user admin from 220.xxx.xxx.xx port 34502 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 51846 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 53934 ssh2

Using debian Etch installation is really simple:

apt-get install denyhosts

Next edit /etc/denyhosts.conf and change:

PURGE_DENY = 1w
PURGE_THRESHOLD = 0

and start the daemon:

/etc/init.d/denyhosts start

That’s all. Sure it’s not a perfect solution which helps for everything, but nevertheless it will increase your security.

All you have to to now is wait and check the /etc/hosts.deny Depending on your configuration denyhosts will automatically delete expired entries.