Re: SSH attack

To: debian-user@lists.debian.org
Subject: Re: SSH attack
From: Ritesh Raj Sarraf <rrs@researchut.com>
Date: Sat, 15 Oct 2005 15:16:07 -0700
Message-id: <[🔎] Pine.LNX.4.64.0510151511060.24187@mail.logicalwebhost.com>
In-reply-to: <[🔎] 434C08D4.8020608@ix.netcom.com>
References: <[🔎] Pine.LNX.3.96.1051010230303.19907A-100000@Maggie.Linux-Consulting.com> <[🔎] 434B6830.9050704@ix.netcom.com> <[🔎] 3f1760510110323i323f8ab5i@mail.gmail.com> <[🔎] 434C08D4.8020608@ix.netcom.com>

On Tue, 11 Oct 2005, Marty wrote:

Dick Davies wrote:

 On 11/10/05, Marty <martyb@ix.netcom.com> wrote:

>  If your machines are all exposed to the internet or to an insecure
>  LAN, then I don't see how you can safely use ssh at all.  I would
>  never attempt such a thing, so you are much braver than I.

>> What I would do instead is limit ssh logins to a single heavily

>  scrutinized, stripped and locked down, dedicated (internet) ssh server,
>  which would be manually activated (maybe remotely) for each ssh
>  use, and turn off all other times.

 'maybe remotely' - aren't you just pushing back the problem?


Yes it replaces one security headache with another, but having
remote out-of-band access may be useful for other reasons, and
therefore worth the risk.

I first got the idea from ISPs which allow remote control of customer
servers for reboots or maintenance.

For example, I might use a modem on a system with no LAN connection,
controlling an X-10 network.  Then hopefully the worst damage an
intruder could do is reboot or power off the servers.


Or you could use the following iptables rules to get your self on the
safer side.

I'm not sure if this would directly be related to your problem but it
solved mine. :-)

## create denylog chain
iptables -N denylog
iptables -A denylog -j LOG
iptables -A denylog -j DROP

## SSH Bruteforce
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog

Creates a whilelist of one or more networks. All others are subject toinspection. More than 4 hits within 60 seconds are denied. In case of 60seconds without a hit, this rule is automatically cleared again. That'sthe magic of the "recent"-module of iptables. It works for me - and it'svery useful!



Regards,

rrs
--
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
"Stealing logic from one person is plagiarism, stealing from many is research."
"Necessity is the mother of invention."

Reply to:

References:
- Re: SSH attack
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: SSH attack
  - From: Marty <martyb@ix.netcom.com>
- Re: SSH attack
  - From: Dick Davies <rasputnik@gmail.com>
- Re: SSH attack
  - From: Marty <martyb@ix.netcom.com>

Prev by Date: Cygwin, ssh, and top
Next by Date: Lucy & the Football
Previous by thread: Re: SSH attack
Next by thread: Re: SSH attack
Index(es):
- Date
- Thread