[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

On Tue, 11 Oct 2005, Marty wrote:

Dick Davies wrote:
 On 11/10/05, Marty <martyb@ix.netcom.com> wrote:

>  If your machines are all exposed to the internet or to an insecure
>  LAN, then I don't see how you can safely use ssh at all.  I would
>  never attempt such a thing, so you are much braver than I.
> > What I would do instead is limit ssh logins to a single heavily
>  scrutinized, stripped and locked down, dedicated (internet) ssh server,
>  which would be manually activated (maybe remotely) for each ssh
>  use, and turn off all other times.

 'maybe remotely' - aren't you just pushing back the problem?

Yes it replaces one security headache with another, but having
remote out-of-band access may be useful for other reasons, and
therefore worth the risk.

I first got the idea from ISPs which allow remote control of customer
servers for reboots or maintenance.

For example, I might use a modem on a system with no LAN connection,
controlling an X-10 network.  Then hopefully the worst damage an
intruder could do is reboot or power off the servers.

Or you could use the following iptables rules to get your self on the
safer side.

I'm not sure if this would directly be related to your problem but it
solved mine. :-)

## create denylog chain
iptables -N denylog
iptables -A denylog -j LOG
iptables -A denylog -j DROP

## SSH Bruteforce
iptables -A SSH_WHITELIST -s -m recent --remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog

Creates a whilelist of one or more networks. All others are subject to inspection. More than 4 hits within 60 seconds are denied. In case of 60 seconds without a hit, this rule is automatically cleared again. That's the magic of the "recent"-module of iptables. It works for me - and it's very useful!


Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
"Stealing logic from one person is plagiarism, stealing from many is research."
"Necessity is the mother of invention."

Reply to: