Kamaraju Kusumanchi <[EMAIL PROTECTED]> writes: > Does anyone have suggestions on tightening up the default sshd_config > file? I read about disabling password authentication mechanism > completely and using only the key authorization mechanism. But this is > too inconvenient to stick to. For example, if I go to a friend's > machine, I would like to be able to ssh from it, without bothering > about transferring keys back and forth. Any other suggestions are > welcome.
I usually enable the recent module in iptables, which means that you can only login once every 1 minute or so. It usually give the attacker only one try before they get shut down. Example: # allow established and related connection /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # if a NEW or INVALID package comes in, and it is in our list within the # last 60 seconds, drop the package /sbin/iptables -A INPUT -m state --state NEW,INVALID -m recent --update --seconds 60 -j DROP # allow new connections to ssh port, add the ip address to our recent # list /sbin/iptables -A INPUT -p ssh --dport ssh -m state --state NEW,INVALID -m recent --set -j ACCEPT The ordering of the rules are important, otherwise you might lock yourself out. Basically, every time a ssh connection is made, the ip address gets added to a list. If a connection is made from the same IP within 60 seconds, then the connection is dropped. Usually, attackers will drop the connection and try again if the username/password does not match. This means that they only get one try. And since the 60 seconds timelimit is set every time someone makes a connection, they will never get the login unless they wait 60 seconds (which they never do). Also, in /etc/hosts.deny, set ALL: PARANOID -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
