On Tue, 11 Oct 2005, Marty wrote:
Dick Davies wrote:On 11/10/05, Marty <martyb@ix.netcom.com> wrote: > If your machines are all exposed to the internet or to an insecure > LAN, then I don't see how you can safely use ssh at all. I would > never attempt such a thing, so you are much braver than I.> > What I would do instead is limit ssh logins to a single heavily> scrutinized, stripped and locked down, dedicated (internet) ssh server, > which would be manually activated (maybe remotely) for each ssh > use, and turn off all other times. 'maybe remotely' - aren't you just pushing back the problem?Yes it replaces one security headache with another, but having remote out-of-band access may be useful for other reasons, and therefore worth the risk. I first got the idea from ISPs which allow remote control of customer servers for reboots or maintenance. For example, I might use a modem on a system with no LAN connection, controlling an X-10 network. Then hopefully the worst damage an intruder could do is reboot or power off the servers.
Or you could use the following iptables rules to get your self on the safer side. I'm not sure if this would directly be related to your problem but it solved mine. :-) ## create denylog chain iptables -N denylog iptables -A denylog -j LOG iptables -A denylog -j DROP ## SSH Bruteforce iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylogCreates a whilelist of one or more networks. All others are subject to inspection. More than 4 hits within 60 seconds are denied. In case of 60 seconds without a hit, this rule is automatically cleared again. That's the magic of the "recent"-module of iptables. It works for me - and it's very useful!
Regards, rrs -- Ritesh Raj Sarraf RESEARCHUT -- http://www.researchut.com "Stealing logic from one person is plagiarism, stealing from many is research." "Necessity is the mother of invention."