From: Nix on
On Sat, 14 Jan 2006, Colin McKinnon mused:
> Honestly, for a small system not holding secure data I don't think its worth
> the effort - by all means restrict the hosts which can connect to port 22
> on the machine in its firewall and with appropriate entries for tcp
> wrappers (man 5 hosts_access). Another step I'd recommend is to only allow
> ssh logins for users of a specific group (AllowGroups in sshd_config).
> Definitely don't allow root logins via ssh.

I'd say turn PasswordAuthentication off, too. Stick with key-based
authentication only.

The vast majority of attacks on SSH are attacks on bad passwords; I've
had some twit trying for most of today and yesterday, four or five
requests a second...

....
Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from 208.187.226.110
Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from 208.187.226.110
Jan 15 15:23:21 esperi info: sshd[11810]: Invalid user molly from 208.187.226.110
Jan 15 15:23:23 esperi info: sshd[11812]: Invalid user molly from 208.187.226.110
Jan 15 15:23:25 esperi info: sshd[11814]: Invalid user molly from 208.187.226.110
Jan 15 15:23:27 esperi info: sshd[11816]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:29 esperi info: sshd[11818]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:31 esperi info: sshd[11820]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:33 esperi info: sshd[11824]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:35 esperi info: sshd[11826]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:37 esperi info: sshd[11829]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:39 esperi info: sshd[11831]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:41 esperi info: sshd[11833]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:43 esperi info: sshd[11835]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:45 esperi info: sshd[11837]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:47 esperi info: sshd[11839]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:49 esperi info: sshd[11841]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:51 esperi info: sshd[11843]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:53 esperi info: sshd[11845]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:55 esperi info: sshd[11847]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:57 esperi info: sshd[11849]: Invalid user sophie from 208.187.226.110
Jan 15 15:23:59 esperi info: sshd[11851]: Invalid user sophie from 208.187.226.110
Jan 15 15:24:01 esperi info: sshd[11853]: Invalid user sophie from 208.187.226.110
Jan 15 15:24:03 esperi info: sshd[11857]: Invalid user sophie from 208.187.226.110
Jan 15 15:24:07 esperi info: sshd[11861]: Invalid user alexa from 208.187.226.110
Jan 15 15:24:10 esperi info: sshd[11864]: Invalid user alexa from 208.187.226.110
Jan 15 15:24:12 esperi info: sshd[11866]: Invalid user alexa from 208.187.226.110
Jan 15 15:24:14 esperi info: sshd[11872]: Invalid user alexa from 208.187.226.110
Jan 15 15:24:17 esperi info: sshd[11879]: Invalid user alexa from 208.187.226.110
....

With PasswordAuthentication off, all they're doing is tarpitting
themselves and wasting their time.

--
`I must caution that dipping fingers into molten lead
presents several serious dangers.' --- Jearl Walker
From: alexd on
Martin Gregorie wrote:

> I thought that ssh / sftp / scp were probably where it was at but wanted
> to make sure that, say, a VPN approach wasn't better. I use ssh within
> my LAN but know next to nothing about the ins and outs of secure
> Internet communications.

SSH is great when you want a quick connection that just works without too
much messing about. You can get shell access, copy a few files with scp,
etc etc. A VPN probably a better solution where you have a network of > 1
machines that you want to connect to another network, on a semi-permananent
basis, and where you might be using protocols that, heaven forbid, aren't
secure enough to use naked on the internet [telnetting into ancient pieces
of kit and using NFS spring to mind]. Also when you tunnel stuff through a
VPN, you can implement QoS as you theoretically have total control over
your 'network'.

alexd
--
<http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz)
18:19:07 up 14 days, 5:36, 2 users, load average: 0.27, 0.31, 0.32
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK

From: alexd on
Martin Gregorie wrote:

> I already use a firewall. But, as 22 os a well-known port (and anyway a
> port scanner will find non-standard ones) I'd like things a bit tighter.
> Yes, I can use the hosts.allow/deny and shosts.equiv but they can't stop
> spoofng - only ssh_known_hosts can do that.

If you're super-paranoid, try port knocking.

alexd
--
<http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz)
18:28:30 up 14 days, 5:45, 2 users, load average: 0.35, 0.27, 0.27
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK

From: Tony van der Hoff on
Nix <nix-razor-pit(a)esperi.org.uk> wrote in message
<87mzhxgync.fsf(a)amaterasu.srvr.nix>

> On Sat, 14 Jan 2006, Colin McKinnon mused:
> > Honestly, for a small system not holding secure data I don't think its
worth
> > the effort - by all means restrict the hosts which can connect to port
22
> > on the machine in its firewall and with appropriate entries for tcp
> > wrappers (man 5 hosts_access). Another step I'd recommend is to only
allow
> > ssh logins for users of a specific group (AllowGroups in sshd_config).
> > Definitely don't allow root logins via ssh.
>
> I'd say turn PasswordAuthentication off, too. Stick with key-based
> authentication only.
>
Depends on yhour requirements. Sometimes you can't set keys - I certainly
wouldn't want to accidentally leave one on a Customer's box. Key-based
authentication PLUS passwords (provided they're strong ones) works fine.

> The vast majority of attacks on SSH are attacks on bad passwords; I've
> had some twit trying for most of today and yesterday, four or five
> requests a second...
>
> ...
> Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from
208.187.226.110
> Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from
208.187.226.110
[snip]

No, he's not made it into my blocklist - yet.

Indeed; they first have to guess a username; then they have to guess a valid
password :( It's a wonder they achieve anything, and can only be evidence of
a preponderance of poorly-administered sites out there...

Which is why I employ a blocklist script; I enjoy seeing this:

Jan 15 12:09:52 tony-lx sshd[18346]: Failed password for invalid user brd
from 207.36.86.64 port 49575 ssh2
Jan 15 12:10:00 tony-lx sshd[18365]: Failed password for invalid user ap
from 207.36.86.64 port 49762 ssh2
Jan 15 12:10:01 tony-lx sshd: refused connect from
207-36-86-64.ptr.primarydns.com (207.36.86.64)

Zap!

--
Tony van der Hoff | mailto:tony(a)vanderhoff.org
Buckinghamshire, England
From: John Phillips on
On 2006-01-15, Nix <nix-razor-pit(a)esperi.org.uk> wrote:
> The vast majority of attacks on SSH are attacks on bad passwords; I've
> had some twit trying for most of today and yesterday, four or five
> requests a second...

I saw a lot of that until I throttled back the allowable connection
rate with iptables. Probably not much extra security, if any, but they
generally go away now after a very small number of attempts.

> Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from 208.187.226.110
> ...
> Jan 15 15:24:17 esperi info: sshd[11879]: Invalid user alexa from 208.187.226.110
>
> With PasswordAuthentication off, all they're doing is tarpitting
> themselves and wasting their time.

Indeed, although they do use up a little connection bandwidth and
processing time on the target machine.

--
John Phillips
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5 6 7 8 9 10 11 12
Prev: Network connection
Next: Xauthority lock timeout?