securing sshd
Erik Norgaard
norgaard at locolomo.org
Sat Mar 20 15:32:32 UTC 2010
On 20/03/10 14:18, Jamie Griffin wrote:
> I've been reading up on securing sshd after being bombarded with attempted logins.
Hi!
First step to ssh security is: Don't panic! Take your time to read the
logs and understand what's going on. So, you've got bombarded with login
attempts, but they failed. Just because there is some log entry doesn't
mean you have to act on it.
I recall reading an analysis of this kind of brute force attacks on
securityfocus.com. These brute force attacks are pretty harmless if
you've got basic security in place.
This was also discussed on the list two weeks ago, check the archives.
> * Disabled root login by ssh in /etc/ssh/sshd_config
Good, if you read the logs you will see that about 50% of the attempts
are against the root account.
> * Set myself as the only user able to login by ssh
Good, if you read the logs you will see that about 40% of the attempts
are against standard unix accounts, and guest. The remaining are against
randomly generated user names usually based on common names (john,
smith, etc) you can get this statistic from your logs.
> * Disabled password logins completely, and to only allow public key authentication
This seems good for security, but not always practical. Now you have to
walk around with a USB or have keys on your laptop and if you loose the
USB or the laptop gets stolen you can't get access. Worse, you can't
revoke the keys till you get back home.
> * Changed the default ssh port from 22 to something much higher
Number is irrelevant and I discourage this. If you ever find yourself
behind somebody else's firewall, if access is enabled it is enabled for
the default port.
> I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further?
Since you're the only one on that system, you know where you're going to
connect from, at least roughly. Why allow connections from anywhere?
Restrict the client access to certain ranges of IPs. The different
registries publish ip ranges assigned per country and you can create a
list blocking countries you are certain not to visit, you can use my script:
http://www.locolomo.org/pub/src/toolbox/inet.pl
The last things I can think of is not to have your user name as in your
mail address, not have mail password as your unix account password and
remember to password protect your ssh keys. Run other services such as
mail, http, dns etc. in jails - if possible separate jails. All this all
depends on your paranoia.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list