BruteDrop is a simple but effective - I mean brute - tool written in Go as response to brute force attacks.
The idea, very common indeed, is to block all ports to each IP address from which someone try to gain access to an SSH session by brute force attack.
Configure your SSH daemon with those advices in mind:
- For sure don't use common user names such as admin, mysql or kafka
- No password authentication
- No root login
- Use key access only
- Use the best key type of the moment. Currently
ssh-ed25519 - Limit SSH access to a list of users
Which gives in sshd_config file directives:
PasswordAuthentication no
PermitRootLogin no
PubkeyAcceptedKeyTypes ssh-ed25519
AllowUsers angus@* malcom@this.ip.address
sudo make install
Default BruteDrop configuration file path is /etc/brutedrop.conf.
IptablesBinPath: /usr/bin/iptables
JournalctlBinPath: /usr/bin/journalctl
#DryRunMode: true
DryRunMode: false
#Set Logging to file path or "stdout"
LoggingTo: stdout
#LoggingTo: /var/log/brutedrop.log
LogEntriesSince: 2
AuthorizedUsers:
- angus
- malcolm
AuthorizedAddresses:
- a.b.c.d
- w.x.y.z
/etc/systemd/system/brutedrop.timer
[Unit]
Description=Launch BruteDrop every 20s
Requires=brutedrop.service
[Timer]
OnCalendar=*-*-* *:*:00,20,40
Persistent=true
[Install]
WantedBy=timers.target
/usr/lib/systemd/system/brutedrop.service
[Unit]
Description=BruteDrop
After=sshd.service
[Service]
Type=oneshot
ExecStart=/sbin/brutedrop
StandardOutput=journal
To be sure you won't lock you out, you can test your configuration and see what's going on when BruteDrop runs by setting DryRunMode to true and follow log outputs with sudo journalctl -u brutedrop -f.
[angus@box ~]$ sudo systemctl enable brutedrop
[angus@box ~]$ sudo systemctl start brutedrop