Not long ago, Dave Smith proclaimed... > In the past, I have used /etc/hosts.[deny|allow] to secure my SSH server by > restricting access to a limited number of IP addresses. This has worked > very well for me over the past 3 or 4 years, but now I need to allow access > to a non-enumerable set of client IP addresses, so I am considering > alternate methods. The first method on my list is to require key-based > authentication (no passwords). Secondly, I'm thinking about using an > alternate port (ie, 2222 instead of 22) simply to ward off automated botnet > logins. > > Does anyone see a problem with this? Any other ideas?
If you can get away with it, disable password authentication in sshd_config (the 'PasswordAuthentication' directive) and require DSA (or RSA) keys. If you must allow password authentication, first make sure you do not allow the root user to log in via SSH. This is controlled via the 'PermitRootLogin' directive in sshd_config. Newer versions of OpenSSH have some controls that provide some defense against the all-evil dictionary password attack. Hopefully someone more familiar with these controls will comment on them. I've had a lot of luck using DenyHosts and there are plenty of lookalikes out there as well. DenyHosts works by populating the tcpwrappers config files (e.g. /etc/hosts.deny), just like you've been doing, after analyzing sshd entries in your syslog files. Other programs actually use iptables. DenyHosts can be found here: < http://denyhosts.sourceforge.net/ > Because passwords are the real weakness where dictionary attacks are concerned, not allowing them is ideal. I don't think much will be gained from using an alternate port as it is trivial to scan a machine and identify any SSH ports. Port knocking is an option, but not one your users will appreciate as it requires more effort on their part. Wikipedia will tell you more about it: < http://en.wikipedia.org/wiki/Port_knocking > Good luck. -- [EMAIL PROTECTED] is Doran L. "Fozz" Barton "Enraged cow injures farmer with axe" -- Headline seen in newspaper
pgp0ZPxRFiGNE.pgp
Description: PGP signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
