[cumbria_lug] Preventing SSH attacks

luke at antins.co.uk luke at antins.co.uk
Thu Jan 20 15:58:00 GMT 2005


That looks interesting! I've looked into using some kind of port knocking 
concept to enable / disable access to my IMAP server that runs at home, 
I'll be giving this a try for sure!

If your testing it on a remote server, I suggest you do not have the 
firewall script load on boot until your happy is working fine, if for 
whatever reason your locked out a simple reboot will get you access 
again. Once your happy is working, then make it start on boot.

Just some suggestions for securing up ssh a bit...
- Use ssh keys and set PasswordAuthentication to "no" in your
   /etc/ssh/sshd_config file. This will only allow people to connect if
   they have a ssh key configured.

- Disable root logins, set PermitRootLogin to "no".
   You should never login as root, login as a normal user and then su to
   root or use sudo for doing what you need done.

- Disable ssh protocol, only allow ssh protocol 2 . (set Protocol to "2")

- Make sure all users in /etc/passwd that does not require shell access to
   have there shell set to /bin/false (or something similar)
   I've seen users like "mysql" (used for running the mysql server) with a
   shell of /bin/bash, it does not need shell access so why give it the
   option to ever do so!

I'm sure there's a few things I've forgot, but its a start :)

Kind Regards
Luke Antins

On Thu, 20 Jan 2005, Schwuk wrote:

> Seeing as we have at least one firewall expert on here...
>
> I've found a technique for preventing the common SSH login attack (which
> my web server suffers from), and wondered what people thought of it
> before I tried implementing it.
>
> http://www.soloport.com/iptables.html
>
> Cheers,
> --
> Schwuk - http://www.schwuk.com/
> Cumbria LUG - http://www.cumbria.lug.org.uk/
>



More information about the Cumbria mailing list