securing sshd

Sun Mar 21 01:27:45 UTC 2010

> Jamie Griffin <Jamie at fantomatic.co.uk> writes:
>
>> Hello
>>
>> I've been reading up on securing sshd after being bombarded with
>> attempted logins.
>>
>> The steps i've taken so far to make things more secure are:
>>
>> * changed the encryption method for passwords in /etc/login.conf from
>> md5 to blowfish and changed all the passwords to ridiculously obscure
>> ones (at least as obscure as I could think of).
>>
>> * changed /etc/ttys secure entries to insecure to prevent root logins on
>> the console
>>
>>   (the above are not really sshd specific i know.)
>>
>> * Disabled root login by ssh in /etc/ssh/sshd_config
>>
>> * Set myself as the only user able to login by ssh
>>
>> * Disabled password logins completely, and to only allow public key
>> authentication
>>
>> * Changed the default ssh port from 22 to something much higher
>>
>> I'm the only user that will ever need to log into the machine. I
>> wondered, does this setup seem ok and are there any other methods used
>> by anyone on list that might help me to secure remote logins even
>> further?
>
> Hi,
>
> I'm using the following pf snippet in order to "protect" myself and my
> system's logs against brute force attemps on sshd:
>
> #
> # Block them all
> #
> block log quick from <bruteforce_ssh>
>
> #
> # connection rate the incoming ssh connections and fill the bruteforce
> # table
> #
> pass in log inet proto tcp from any to any port = 22 \
>      flags S/SA keep state \
>      (max-src-conn 10, max-src-conn-rate 5/4, \
>      overload <bruteforce_ssh> flush global)
>
> For more information on how this works, take a look at pf.conf(5).
>
> I don't know if it's complete (or even good practice), but a) I think it
> works for me and b) it does not depend on a port-provided solution.
>
>> Thanks for any help.
>>
>> Jamie

On the same line, portknocking with pf:

.
..
...
# Table for allowed IPs
#  [gets auto populated via portknocking]
table <portknock_ssh> persist
.
..
...
block #default block policy
# Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection
#  [if not using 'synproxy', the connection is never established to
#    'overload' the rule]
#  5 attempts in 15 seconds
pass in log quick proto tcp from any to any port {1234} synproxy state \
  (max-src-conn-rate 5/15, overload <portknock_ssh>)

#Allow IPs that have been 'overload'ed into the portknock_ssh table
pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh}
.
..
...

Although ssh is blocked from all except some trusted IPs, you can still
always have access, just have to knock first.

]Peter[

Then put a crontab on a per needed basis to expire all IPs in that table
that have not been referenced in 60 seconds:

*     *    *    *     * /sbin/pfctl -vt portknock_ssh -T expire 60

All established sessions will be kept alive, all new sessions will need to
portknock after the IP is cleared from table