How I secured my linux box from brute force SSH attacks using key-based logins with Putty.

I am running Red Hat Fedora 4 to support my MythTV setup and noticed (from my logs at /var/log/messages) quite a few people trying to logon to my machine via SSH with various usernames (usually root, mysql, etc), mostly from other countries.  For a while, I would look up the offenders IP address and shoot off an e-mail to their ISP asking them to correct, but I quickly grew tired.  I then tried scripts that would 'blacklist' multiple login attempts from the same IP address, but that wasn't an elegant solution.  I finally decided to disable password-based authentications completely and require the use of public key authorization. This is how I did it:

Logon to your Linux box as your non-root user.

Create an SSH key through the ssh-keygen command like this:

$ ssh-keygen -t dsa

Save the key in its default location and type a password.

Change directory to ~/.ssh using:

$ cd .ssh/

Two files will be created:  id_dsa and id_dsa.pub.  The first is your private key and should not be distributed.  The second is your public key and should be placed in the ~/.ssh/authorized_keys file for every computer you would like to log in to with this private key.  To do this use:

$ cat id_dsa.pub >> authorized_keys

and finally make authorized_keys read only with:

$ chmod 400 authorized_keys

Getting your public key to work with putty

Unfortunately, SSH2 private keys have various formats, so we will need to import the DSA private key we just made into PuTTYgen and save it in a format that PuTTy can use.

Download PuTTYgen which is available here.

Copy your id_dsa (your private key) to your windows machine (using a USB pen drive, ftp, etc)

Select the 'Import' command from the 'Conversion' menu on PuTTYgen.  Select SSH-2 DSA in the parameters section and then select File -> save private key and save your key as an .ppk file.

Configuring Putty

Under the Connection -> SSH -> Auth category click the browse button and select your new private key with the .ppk extension.  Click open and logon to your linux box with the new key!

Removing password-based authentication from SSH

Once you are sure key-based logins are working (you should see something like Authenticating with public key "something"after entering your user name), you can 'turn off' password-based logins.  

On your linux box switch to root and edit the /etc/ssh/sshd_config file.  Look for the PasswordAuthenticaion line and make sure it reads no.  Save the file, and run:

# kill -HUP 'cat /var/run/sshd.pid'

to have sshd reload its config files.

That's it.  You have now effectively blocked brute force attempts to login to your box using password-based SSH.