How does one protect against password bruteforce attacks, and even just people guessing your password? The obvious first idea to spring to mind is to
use a long (12-24 character) and difficult-to-guess password. This will pretty much thwart most dictionary based attacks or if the attacker has an incredibly large wordlist then this will at least make him work at it. I have seen a few bruteforce pass cracks take 3-4 days to complete on 16 character passwords, thus giving you ample time to pick up on the attack and stop it in its tracks or the script kiddie may just get tired and give up. But this is not ideal.
The recommended way to
deal with this is to configure SSH so that it only accepts key-based
logins. SSH keys are impossible to brute-force with today's technology
and eliminating password logins eliminates the problem altogether. Another small step that people tend to overlook, especially those new to Linux, is to simply use your non-root account for day-to-day activities, especially web related actives (IRC, email, etc).
So let's start off by generating a key. After installing OpenSSH Run
# ssh-keygen on your machine as root:root@localhost:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bb:22:03:ae:f6:cc:0f:21:01:5e:4e:d3:bc:71:a3:ba root@localhost.localdomain
So, as you can see from the above output, a private key and saved it to ~/.ssh/id_rsa.
And our public key is saved to ~/.ssh/id_rsa.pub
You now need to give the server your public key and tell it to trust
that key and use it to validate logins. There are two ways: a harder and
an easier one. The hard way involves manually pasting your public key
to the
~/.ssh/authorized_keys on the server. The easy way is to use ssh-copy-id and let it do that for us:
~ ssh-copy-id root@X.X.X.X
root@X.X.X.X's password:
Now try logging into the machine, with "ssh 'root@X.X.X.X'", and check in:
~/.ssh/authorized_keys
~/.ssh/id_rsa private key.