Re: SSH hank attempts… bad?

Wed, 12 Apr 2006 10:28:31 -0700 

Justin Findlay wrote:

On 4/11/06, Wade Preston Shearer <[EMAIL PROTECTED]> wrote:

My server can get up ~12,000 [1] failed log in attempts recorded in
my server's logs in one day. How much of a concern should this be? I
am aware of restricting shell access to certain IPs. Will that
restrict the handshake or will I still see the attempts in my logs?
Are there any ways to restrict the attempts?


What I've done: 1. Change ssh port to a random non privileged, non
used port.  2. Use good passwords.  3. Install DenyHosts and change
the default "protective" settings to "brutally unforgiving" as in
after 5 tries at a password on any account real or fantastic, that
host is denied all services for forever.



The simplest thing you can do to reduce the failed log in attempts is to 
move ssh to another port.  That is not the only thing you should do though.


As previously suggested, add several security layers to it.

Note: some suggestions cause more pain to good people than to the bad 
people.


1. Limit connecting to ssh from certain IPs or netblocks.
   a. Firewall
   b. tcpwrappers (hosts.allow/hosts.deny)
   c. or other.
2. Hide ssh
   a. move to another port
3. Limit authentication methods
   a. AllowGroups or AllowUsers see man 5 sshd_config
   b. PermitRootLogin no
   c. PasswordAuthentication no
      Note: ChallengeResponseAuthentictation should be disabled too if
      PAM is enabled.
4. Watch log entries
   a. Use an automated log watcher to block repeated failures
   b. Use logwatch or similar to alert you to important entries
5. Once authenticated limit abilities
   a. For system accounts - verfiy shell is false, nologin, or similar
   b. For real accounts
      1. Enforce good passwords
      2. Careful with sudo and su abilities.
   c. Keep system up to date to avoid privilege escalation


Each option has its merits and drawbacks, carefully evaluate and 
implement the steps that fit well in your situation.


--lonnie




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/





















					Reply via email to