You are not logged in.
Thought some of you might find this interesting. No one gets in, but it's funny how just changing the port number on ssh will stop 99.99% of the stupid attacks (some random bot repeatedly attempting to gain access) . Several other things SHOULD be changed in the ssh config file also, not just the port number, but this one provides the most eye opening reasons to be secure.
Installed server on Jul 17th ..... less than 5 days later, well, you get the idea.
wtmp begins Thu Jul 17 21:57:08 2008
[root@VistaCrusher1 ~]# lastb | wc -l
25349
Needless to say, I'll go change that shortly, along with several other security precautions. I just wanted to see how many hits I'd get in 5 days That, and I wanted to see who came back
Offline
iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.
### START SECURITY RULES ###
# Don't limit SSH from known addreses
# xxx.xxx.xxx.xxx
iptables -A forwarding_wan -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT
# SSH rate limiting from unknown IP addresses
# Allow 2 chances in 10 minutes to connect, reject after that
iptables -A forwarding_wan -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A forwarding_wan -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
Offline
Yes, that does it too, but at the expense of cpu cycles (not that that's a huge deal or anything), whereas simply changing the port will stop 99.99 % of them. I have servers that have the ssh port set to non-standard ports, and zero hits in over two years. So, if I change ports AND add the IP tables rules, AND change some more settings in the sshd_config file, even better I just thought it was very telling. I knew port 22 got hammered at times by attackers, just didn't think it was THAT rampant. It had been so long since I'd had a port 22 open, that I was a bit suprised at the results.
Offline
It helps too it you make sure the port is outside a default nmap scan. I usually use a 5 digit port.
Additionally, setting the delay between password attempts to something obscene is usually fun (like 10 seconds). It stops that crap real fast
Remember? I'm the one who got hacked, here
Offline
Additionally, setting the delay between password attempts to something obscene is usually fun (like 10 seconds). It stops that crap real fast
Is that done with the LoginGraceTime option?
Offline
I intentionally use the default port without IPTables.. I like it that my computer is a living breathing Internet node.. I do not pheare the h4x0rs
Offline
iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.
Using .ssh/config also saves me any hassle when using a random port.
one example here : http://lookherefirst.wordpress.com/2007 … nfig-file/
pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))
Offline
The /etc/ssh/sshd_config file has TONS of options that will severly limit any types of intrusions via ssh.
Set default port to high non-standard port.
Set time to login to a low number
Set allowed users !!!!
Set number of login attempts and time it locks out bad attempts
Set allowed IP addresses
Disable root login
all sorts of good stuff in there...... definately worth changing many of the defaults.
It can take you from 25,000 attempts in 5 days.......to ZERO in two years. The config file changes are very simple to implement.
Now, I must say, I DO like toofishes iptable rules ----- I did copy that for future reference
I am about 99.99% sure I won't ever need it, as ssh is a great tool all on it's own, but if I ever get uber-paranoid, what the heck, I'll use it as well
Last edited by crouse (2008-07-25 01:50:21)
Offline
can i set sshd to listen on 22 for 1 specific IP address? my company's socks proxy wont let me use another
or should i use iptables for that?
☃ Snowman ☃
Offline
can i set sshd to listen on 22 for 1 specific IP address?
Set allowed IP addresses
Offline
robmaloy wrote:can i set sshd to listen on 22 for 1 specific IP address?
crouse wrote:Set allowed IP addresses
i should properly describe what i want
i want to use port 22 for my IP at work and port XYZ from anywhere else (we can only SSH through a socks server)
solution (if anyone interested):
iptables -t nat -A PREROUTING -p tcp -s $IP_AT_WORK --dport 22 -j REDIRECT --to-port $CHANGED_PORT
Last edited by robmaloy (2008-07-25 17:31:38)
☃ Snowman ☃
Offline
You can e.g. have dropbear listening on multiple ports at the same time. I don't know if that works for OpenSSH.
As for restricting logins, you could implement two firewall rules:
- allow logging in over port 22 only from IP xx.xx.xxx.xxx
- allow logging in over port XXX from all other addresses
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.
You can define the default ssh port for specific servers in /etc/ssh/ssh_config:
Host myhost.net
Port 65536
Ricardo Martins ><>< ricardomartins.cc ><>< GPG key: 0x1308F1B4
Offline
toofishes wrote:iptables ftw. This is the ruleset I have set up on my WRT54GL with OpenWRT installed, works like a charm and saves any hassle of having to specify a port argument for everything from ssh to scp and git pulls over an ssh connection.
You can define the default ssh port for specific servers in /etc/ssh/ssh_config:
Host myhost.net Port 65536
I think I mentioned that already :
http://bbs.archlinux.org/viewtopic.php? … 31#p397031
Even though it is the user settings rather than system-wide settings, it is still the same tip.
pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))
Offline
@shining: You're right, I didn't notice your post. Sorry for the noise.
Last edited by meqif (2008-08-11 18:41:27)
Ricardo Martins ><>< ricardomartins.cc ><>< GPG key: 0x1308F1B4
Offline