Tuesday, July 24, 2007

Securing SSH against brute force attacks

Today I was looking at my /var/log/messages file on my home machine and noticed a bunch of attempts to ssh in with a bunch of different names. This is a brute force attack and they are apparently quite common. I have a router forwarding the ssh port 22 to one of my linux boxes so I can connect from other locations.

When I saw these attacks I asked a friend what I can do to increase the security of my ssh to further protect my network. The following or some of his suggestions and some or my experiences with them.

* First is to specify the list of users you will allow to ssh into the box in the sshd.conf files
I had a little trouble on SLED finding where in the file to do this. On SLED sshd is set to use PAM for authentication. So I need to figure out how to tell PAM that certain users are not allowed to use ssh.

* Next, you can setup some iptables rules so that it only allows a certain number of attempts to ssh into the box per minute, this will decrease the script kiddies ect
I just set the MaxAuthTries 6. Hoping that that will do. If I can't get my password in 6 attemts I will have to try again later. I may regret this if it locks me out forever or something like that.

* You can also configure ssh so it doesn't allow password login but instead using ssh keys
The problem with this one is that some times i want to login from places that I have not logged in from before. I am not really sure I would be able to do that anymore.

* You could think about changing which port your router listens to to forward to the ssh port
ie have the router listen on 6822 and have it forward to 22

* also disable SSH Protocol 1 and just have SSH Protocol 2 listening
This one confused me a little bit because there is a line commented out in the sshd_config file that says Protocol 2,1 But since it is commented out I don't know what the default is. Don't know how to tell either.

posted by BFL at 11:15 AM

0 Comments:

Post a Comment

<< Home