[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

Alvin Oga wrote:

On Tue, 11 Oct 2005, Marty wrote:

Thanks, you just reminded me of two more items for my ssh hardening plan:

-deny root login

-turn off sshd access after a specified number of failed login attempts,
or any attempts outside the specific IP address range.

those should be done BEFORE you go live .. ??

I mean before exposing an sshd port to the internet.

	- no machine i would be baby sitting would be turned on
	if those 2 minimum requirements is not met

If your machines are all exposed to the internet or to an insecure
LAN, then I don't see how you can safely use ssh at all.  I would
never attempt such a thing, so you are much braver than I.

What I would do instead is limit ssh logins to a single heavily
scrutinized, stripped and locked down, dedicated (internet) ssh server,
which would be manually activated (maybe remotely) for each ssh
use, and turn off all other times.

	- in the old days, i'd be running the latest/greatest
	ssh ... vs those that come with any distro
	( it seems lot more stable now... not as many exploits )

as far as i'm concerned ... free audits is a good thing on non-critical
machines ... let um play with those .. i get um by the thousands ...
and i'm not gonna want any email just because one bozo decides
to run a generic port scan or dictionary attacks

Whatever, I would never dare expose any normal machine to the internet,
especially one I have any responsibility for.  I've never considered
(until now) exposing any open port to the internet.  I think that's what
ISP servers are for.

- that'd generate hundreds of thousands of false alarms

- "too many" attempts will also raise a flag
	( more than the number of your fingers )

Since I would enable the internet ssh server on a temporary and
per use basis, to many email alerts would probably not be an issue.

- critical machines are watched very carefully :-)

c ya

Reply to: