Re: Security newbie?
On Fri, Aug 03, 2007 at 08:15:38AM -0500, Rodney Richison wrote:
> Art Edwards wrote:
> >I've been running debian @ home and @ work, for years, had no indication
> >of attacks. Over the last few days, my iptables firewall seemed simply
> >to stop. I checked my auth log file to find many, many attempts to break
> >in. My firewall was very simple. I have since added rules to drop
> >packets from offending IP addresses. So, I have a couple of very basic
> >1. Are there repositories of offending IP addresses to block? Can/should
> >one contribute to these?
First ask if you need to ssh into your box from the internet, if not
then limit the interfaces to which ssh listens.
> >2. The attacks never use the same user name more than once. Is there a
> >way to block access, even temporarily, from an IP address after a set
> >number of attempts, even if the attempts use different user names?
If you are using good strong passwords then it shouldn't matter how many
times someone tries. However, you should consider using public-key
ssh logins where you can totally disable password logins.
> >3. Are there other obvious things I should be doing?
> ssh, by it's design is insecure.
This seems a little harsh.
> It SHOULD incorporate some means of limiting password attempts. It
> does not! Using alternate ports can be a pain in the butt as some
> programs (like webmin "filesystem backup) do not support alternate
> ports. I suggest 2 methods, fail2ban and a firewall if you must allow
> password logins. You can set the firewall to allow only certain ip's
> or ip ranges. But do not get to comfortable with a firewall ONLY
> solution. The first time the local firewall goes down, or is taken
> down and forgotten to re-enable, you'll get compromised.
Yes, a firewall is the first line of defence in that it blocks things
before they reach your daemons but the last line of defence in that
everything else should be relied on first. You can use the firewall to
limit the rate of connection attempts that go to ssh. Also, if you know
the range of IPs from which you need to connect, you could limit
attempts to that range.
You can also look at the sshd_config options of MaxAuthTries and