Attempts Limit to log-in SSH

A lot was written and warned about misusing server based on older OpenWrt releases....

I have a question: is not the most likely way to break into server over SSH and finding password with some brutal force algorytmus?
Is there already implemented protection in OpenWrt in case too many unsuccessful attempts it will not allow login for some predefined time? I am not an super expert but I can imagine misusing server if I can SSh into it...

And I did this from Thailand while server was in Europe

If I should have a fear I can imagine to have fera for this reason, all others for me seems to be almost zero probability to happen
Also regularly rebooting everyday would change dynamic IP address everytime...

Any comments? Thanx

-Many docs highlight the advice to disable password logins and use keys only. This negates brute force

-The syn flood limit default rule slows chritmas and new connections, you may wish to lower the limit and burst to 1/3 for significant effect or create a similar specific rule for port 22/ssh ( or run on alternate port for a tad of obscurity )

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN

Web search for "iptables limit ssh"

-A WAN ip MAY change in reboot. That is what dyndns is for.

-A server is only vulnerable as you discuss........if it's ssh port is "forwarded" to the external address of the router. Most admins would not do that and would use some sort of tunnel, the simplest being ssh_forwarding using certificate authentication.

So yes, there are a few key precautions.... that when taken, offset much of the risk exposure. If you don't need WAN access via ssh disable it on the external interface.

o' fail2ban and fwknopd are two more things if your up for some learning.... knocking is probably the simplest and most effective bang for the buck.

It's possible to disable password authentication. That will make brute force practically impossible.

Name Type Required Default Description
PasswordAuth boolean no 1 Set to 0 to disable authenticating with passwords.
RootPasswordAuth boolean no 1 Set to 0 to disable authenticating as root with passwords.

You can also allow SSH-access from VPN-interface only.

I'm using BearDropper on my system, works a treat. Monitors for repeat unsuccessful logins from the same address and then inserts the source IP into a iptables blocklist for a predetermined period.

1 Like

BearDropper, disable passwordauth, use keys to login are my favorites.