Re: SSH attack
Alvin Oga wrote:
On Tue, 11 Oct 2005, Marty wrote:
Thanks, you just reminded me of two more items for my ssh hardening plan:
-deny root login
-turn off sshd access after a specified number of failed login attempts,
or any attempts outside the specific IP address range.
those should be done BEFORE you go live .. ??
I mean before exposing an sshd port to the internet.
- no machine i would be baby sitting would be turned on
if those 2 minimum requirements is not met
If your machines are all exposed to the internet or to an insecure
LAN, then I don't see how you can safely use ssh at all. I would
never attempt such a thing, so you are much braver than I.
What I would do instead is limit ssh logins to a single heavily
scrutinized, stripped and locked down, dedicated (internet) ssh server,
which would be manually activated (maybe remotely) for each ssh
use, and turn off all other times.
- in the old days, i'd be running the latest/greatest
ssh ... vs those that come with any distro
( it seems lot more stable now... not as many exploits )
as far as i'm concerned ... free audits is a good thing on non-critical
machines ... let um play with those .. i get um by the thousands ...
and i'm not gonna want any email just because one bozo decides
to run a generic port scan or dictionary attacks
Whatever, I would never dare expose any normal machine to the internet,
especially one I have any responsibility for. I've never considered
(until now) exposing any open port to the internet. I think that's what
ISP servers are for.
- that'd generate hundreds of thousands of false alarms
- "too many" attempts will also raise a flag
( more than the number of your fingers )
Since I would enable the internet ssh server on a temporary and
per use basis, to many email alerts would probably not be an issue.
- critical machines are watched very carefully :-)