Re: checking if my system is compromised
Kamaraju Kusumanchi <kamaraju@bluebottle.com> writes:
> Does anyone have suggestions on tightening up the default sshd_config
> file? I read about disabling password authentication mechanism
> completely and using only the key authorization mechanism. But this is
> too inconvenient to stick to. For example, if I go to a friend's
> machine, I would like to be able to ssh from it, without bothering
> about transferring keys back and forth. Any other suggestions are
> welcome.
I usually enable the recent module in iptables, which means that you can
only login once every 1 minute or so. It usually give the attacker only
one try before they get shut down.
Example:
# allow established and related connection
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# if a NEW or INVALID package comes in, and it is in our list within the
# last 60 seconds, drop the package
/sbin/iptables -A INPUT -m state --state NEW,INVALID -m recent --update
--seconds 60 -j DROP
# allow new connections to ssh port, add the ip address to our recent
# list
/sbin/iptables -A INPUT -p ssh --dport ssh -m state --state NEW,INVALID
-m recent --set -j ACCEPT
The ordering of the rules are important, otherwise you might lock
yourself out. Basically, every time a ssh connection is made, the ip
address gets added to a list. If a connection is made from the same IP
within 60 seconds, then the connection is dropped. Usually, attackers
will drop the connection and try again if the username/password does not
match. This means that they only get one try. And since the 60 seconds
timelimit is set every time someone makes a connection, they will never
get the login unless they wait 60 seconds (which they never do).
Also, in /etc/hosts.deny, set
ALL: PARANOID
--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
Reply to: