How to Avoid Unwanted SSH Login Attempts on CREODIAS
While using VM, you may experience situation when some unknown IP adresses are constantly trying to log into your machine.
This is a normal situation in the Internet, because plenty of bots are trying to scour servers in order to find addresses vulnerable to attack via open SSH service. There are several hints how to avoid being attacked:
- Restrict access to IP addresses
Restricting access to selected IP addresses is the easiest way for getting rid of unwanted access attempts.
Here is the technical instruction: /networking/How-To-Restrict-VM-Access-To-Dedicated-IP-Addresses-Creodias
If, however, you want to enable your users to access VMs via SSH from anywhere, you have to keep the TCP 22 port open without any limitations.
- Do not allow login with password
Allowing login with password enhances the risk and, adversely, removing that kind of access limits the risks significantly. Users can access VMs with their private / public keypair then, and it is a good practice.
- Use VPN
A VPN is even a safer solution, however a little less convenient. In cyber-security, the ease of use is generally inversely proportional to the level of security (the more convenient the less secure). An OpenVPN server is to be installed on a dedicated VM. Other VMs will not allow ingress traffic to port 22 from any other direction than the VPN server. Before gaining access to VMs, user would have to connect to the VPN server and with this connection user would be able to access all VMs in the project, even those without public Floating IP addresses.
- Use dedecated program such as Fail2ban
Fail2ban blocks source IP adresses after three unsuccessful attempts of logging in. Even fail2ban is not a definitive resolution, it helps reducing the risk by temporarily blocking attacking source IP addresses after three failed attempts.
You can install fail2ban application by entering in terminal:
apt-get install fail2ban
For more information regarding installation and configuration of fail2ban, please visit Fail2ban HOWTO Knowledgebase.