home | list info | list archive | date index | thread index

[OCLUG-Tech] Re: ssh suggestions

Dan Langille wrote:
We are far away from the original topic.  A new thread begins.

On 16 Apr 2006 at 18:34, Martin Hicks wrote:

On Sat, Apr 15, 2006 at 12:42:15PM -0400, sberaud wrote:
Adding the drop rule was made easy with Webmin, once I knew what I had to do.

Okay, so here's what I do.  I use ipt_recent, which allows you to do
<something> if someone tries to connect to you at a fairly high rate.
This stops the brute force ssh attacks in their tracks.

# Rate limit SSH -- avoid dictionary attacks
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
        --set
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
       --update --seconds 60 --hitcount 4 -j LOG
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
        --update --seconds 60 --hitcount 4 -j DROP


The suggestions by Martin are what I dreamed of doing, but was way beyond me. With red face, I should have been more clear. I found out how to add a drop rule to Shorewall, not IPChains. I have no idea how to do something this complex with Shorewall (vintage 2003), and ipchains has not been a successful endeavor for me in the past. It is time to learn I suppose, because I need to do this for MySQL as well.


I would recommend moving sshd to listen on another higher, random port. e.g. 12345.


I noticed all the attacks were trying random ports in the upper range. I am curious about the upper ports. Why are they more secure than the lower ones?


Also, make use of the ssh config file to limit incoming connections to known IP addresses.

Under normal conditions I usually have SSH firewalled away from the world, this seems to be a good extra layer of security.

And best of all, require the use of sshe keys to login, not passwords.



This is a very good idea.

There is always more to learn. ;)

Thanks
Scy

replies

references

message navigation