Best practices for securing SSH server

Chris Rees utisoft at googlemail.com
Tue Jun 23 08:12:53 UTC 2009 

2009/6/23 Wojciech Puchar <wojtek at wojtek.tensor.gdynia.pl>:
>> If for some reason you would prefer to use password authentication, I
>> would recommend that you look into automatic brute force detection.
>> There are a number of utilities in ports available for this purpose,
>> including security/sshguard and security/denyhosts.
>
> good, but not really important with properly chosen password.
> You can't do more than maybe 10 attempts/second this way, while cracking 10
> character password consisting of just small letters and digits needs
>
> 36^10=3656158440062976 possible passwords, and over 11 milion years to check
> all possibilities, so say 100000 years if someone is really lucky and will
> get it after checking 1% possible password.
>
> Of course - you must not look at logs in 100000 years and not see this 10
> attempts per second.
>
>
>
> I give this example against common paranoia that exist on that group - mix
> of real "security paranoid" persons and pseudo-experts that like to repeat
> "intelligent" phrases to show up themselves.
>
> Actually - there is no need for extra protection for ssh, but for humans.
>
> 99% of crack attempts are done by "kevin mitnick" methods, not password
> cracking.

You're right about the probability of password breaking, but
personally I installed denyhosts just because I got sick of this:

Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error
for illegal user adrian from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam
for invalid user adrian from 76.193.128.193 port 2901 ssh2
Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error
for illegal user agfa from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam
for invalid user agfa from 76.193.128.193 port 3165 ssh2
Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error
for illegal user agneta from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam
for invalid user agneta from 76.193.128.193 port 3338 ssh2
Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error
for illegal user ahren from
adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam
for invalid user ahren from 76.193.128.193 port 3499 ssh2

10,000 lines of this in _every_ security digest I get off my server.
No I haven't changed any IP addresses, either.

Now I get:

Added the following hosts to /etc/hosts.evil:
89.232.63.160
87.117.236.15

Much easier to read...

Chris

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?

More information about the freebsd-questions mailing list