securing SSH, FBSD systems
Chris
racerx at makeworld.com
Sun May 22 13:42:37 PDT 2005
Jerry Bell wrote:
> These attacks are almost exclusively automated, looking to install a
> script to launch spam runs from. They're essentially trying common
> username and weak password combinations - blank password, passwords the
> same as the user name, abc123, etc. There are four things you can do to
> improve the secutiy of sshd:
> 1. Move sshd to listen on a different port. This will not protect against
> a concerted attack, though.
> 2. Check for weak passwords. John the ripper can help out with that.
> pam_passwdqc(8) can help you enforce strong passwords.
> 3. Integrate an automated log monitoring system that looks for
> *successful* logins, since those are really what you're worried about
> anyway. This can be difficult to manage if you have a log of regular
> shell users.
> 4. Keep up-to-date with security patches and advisories. Attacking your
> system through password guessing is much harder than using a vulnerability
> in sshd or some other service.
>
> I have a security guide for FreeBSD at:
> http://www.syslog.org/Content-5-4.phtml
5. (and my favorite) If running IPFW, use something like this if you
don't need ssh open to the whole of the internet. narrow it down to a
range of IP's you need.
IE:
# Allow in SFTP, SSH, and SCP from only certain public IP's
${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup
limit src-addr 4
What this does is allows up to 4 connects via ssh on port 22 from a
specified address range (or IP or class).
--
Best regards,
Chris
If an idea can survive a bureacratic review and be
implemented, it wasn't worth doing.
More information about the freebsd-questions
mailing list