Tougher SSH

elasticdog · 2005-05-06 23:48:16

I've been doing some interesting reading lately about remote security and have come across some good information. One program I'm interested in trying out is called Ostiary, however its purpose is only to allow a fixed set of commands remotely, rather than just open up a shell. The page also has a good summary of the pros/cons of other techniques such as port knocking, Xringd, VPNs, etc. Might at least give you some ideas...

i3839 · 2005-05-07 00:17:28

Ostiary looks interesting, although it has very limited abilities (at purpose). Pity you can't send an option with the commands, or at least some extra info like IP of the client to the program. Luckily it's probably very easy to add (less than 30 minutes work anyway).

That way you can run a script with Ostiary which edits sshd's config and the firewall rules so it only allows connections from your ip address. So with a tiny script you enable ssh with Ostiary, log in, and when done disable sshd again. To prevent man in the middle attacks Ostiary can be slightly changed so that it uses the client's ip address for the checksum too.

Though how paranoid you must be to do it this way I don't know. :-)

lanrat · 2005-05-07 01:24:51

I've gave some propositions in the original "hacked?" thread including OPIE and Judd's knockd + some others.

joe · 2005-05-07 04:19:33

I get brute force attempts to log in all the time. I guess hearing about phrakture's misfortunes got me a bit more concerned.

Anyways, after browsing around, I found this script which looks like it dynamically blacklists ips with too many failed login attempts. I am just now trying it out, so I have yet to find out if it works. Feel free to ssh to joeolivas.com to help me see if it works. Try something like user 'arch', so I'll know it was a friendly breakin attempt

sweiss · 2005-05-07 07:29:09

joe wrote:

I get brute force attempts to log in all the time. I guess hearing about phrakture's misfortunes got me a bit more concerned.
Anyways, after browsing around, I found this script which looks like it dynamically blacklists ips with too many failed login attempts. I am just now trying it out, so I have yet to find out if it works. Feel free to ssh to joeolivas.com to help me see if it works. Try something like user 'arch', so I'll know it was a friendly breakin attempt

Just tried to ssh 3 times to your server, it then blocked me completely. That's a nice idea. But don't most hackers use proxies or something so they can get a new IP at will?

EDIT: Looks like the script builders already thought of it.

joe · 2005-05-07 09:55:44

Sweet, nice to see it works. Thanks for your help....

It's pretty nice, seems to help even for weak passwords, since even if it is weak, it would (most likely, unless your password is aardvark or something)take a lot more than 4 attempts to get it right...

cactus · 2005-05-07 10:04:06

*hears the sound of many keys being pressed*

sweiss · 2005-05-08 18:57:11

joe wrote:

Sweet, nice to see it works. Thanks for your help....
It's pretty nice, seems to help even for weak passwords, since even if it is weak, it would (most likely, unless your password is aardvark or something)take a lot more than 4 attempts to get it right...

I've just tried that script myself, and I noticed I don't have a file called /var/log/secure. Am I missing something here?

lucke · 2005-05-08 19:06:47

Just change it to /var/log/auth.log. And change iptables path to /usr/sbin/iptables.

sweiss · 2005-05-08 19:31:27

Ah, so that's where it was

Thanks a lot.

khazdar · 2005-05-09 22:40:54

ChallengeResponseAuthentication=no
UsePAM yes
UseDNS no

What do these options do?

cactus · 2005-05-09 23:01:47

khazdar wrote:

ChallengeResponseAuthentication=no
UsePAM yes
UseDNS no
What do these options do?

UsePAM...uses pam. This enforces /etc/security/limits and stuff on the ssh shell sessions. no forkbombing over ssh.
UseDNS disables reverse dns lookups. UseDNS could arguable add security, but not much...and I was having trouble with it taking bloody forever!
ChallengeResponseAuth is something that usepam enables, but I dont really want. So, I disabled it. Check man sshd_config for more information..

Back to securing ssh, you should use a password on your ssh keys, and then use ssh-agent and ssh-add to have your passphrase validated for the session. It is very nice, and adds security. Then you can use ssh key access only.

Does arch have ssh-agent setup in the X configs?

neri · 2005-05-10 14:32:48

cactus wrote:

Does arch have ssh-agent setup in the X configs?

The startxfce4 script brings in an ssh-agent automatically, it wraps a round
the xfc4-session iirc. Also gnome opens it AFAIK.
Anyway this shouldn't be up to the distro, I think, but up to the X-setup you use.
It depends heavily on your preferences. So you can use a session manager
or a window manager to be wrapped by the agent, some prefer to have only
the terminal wrapped which opens the connection... and so on.

-neri

Michel · 2005-05-12 22:29:49

Heya,

just found a journal about a way a worm could use ssh-info. Maybe some other info too ...

Here is the link: http://undeadly.org/cgi?action=article& … 0511163008

greetz,

Michel

Arch Linux

#26 2005-05-06 23:48:16

Re: Tougher SSH

#27 2005-05-07 00:17:28

Re: Tougher SSH

#28 2005-05-07 01:24:51

Re: Tougher SSH

#29 2005-05-07 04:19:33

Re: Tougher SSH

#30 2005-05-07 07:29:09

Re: Tougher SSH

#31 2005-05-07 09:55:44

Re: Tougher SSH

#32 2005-05-07 10:04:06

Re: Tougher SSH

#33 2005-05-08 18:57:11

Re: Tougher SSH

#34 2005-05-08 19:06:47

Re: Tougher SSH

#35 2005-05-08 19:31:27

Re: Tougher SSH

#36 2005-05-09 22:40:54

Re: Tougher SSH

#37 2005-05-09 23:01:47

Re: Tougher SSH

#38 2005-05-10 14:32:48

Re: Tougher SSH

#39 2005-05-12 22:29:49

Re: Tougher SSH

Board footer