Re: SSH attack

[Marty <martyb@ix.netcom.com>]

Alvin Oga wrote:
> - if it was a hole in ssh, ALL and i mean ALL other Debianites and
>   possibly other Linuxites will be equally susceptable and some of
>   of them will have noticed that they too were successfully attacked
>
> ==
> == time for you ( marty ) change the way you use ssh and/or the way you
> == log into your PC  and/or update your PC, or let it run  and see if
> == you can stop them from loggin in
> ==

I don't knowingly expose any ports or services to the internet, including
ssh.  As you point out, there's no guarantee it can ever be done safely,
due to the possibility (certainty?) of holes in ssh.

If I did attempt it, however, I would at least take the following precautions:

-always require private keys

-use a port other than 22

-run sshd only at certain times of the day (e.g. 5 minutes per hour)

-restrict ssh connections to a single remote IP address or subnet, in the
firewall as well as in sshd

-configure the ssh server to report any successful ssh login using email,
and/or send a page or cell phone alert

-do the same for mutliple failed connection attempts

-in conjunction with the previous items, provide a way to remotely disable
ssh or initiate an emergency shutdown in case of suspected atteck.


This list come from my own limited knowledge of the subject.  I'd appreciate
any additions to this list from any security experts reading this.