From owner-freebsd-questions@FreeBSD.ORG Sun May 22 20:13:20 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF4E916A41C for ; Sun, 22 May 2005 20:13:20 +0000 (GMT) (envelope-from jbell@stelesys.com) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 761D643D1F for ; Sun, 22 May 2005 20:13:20 +0000 (GMT) (envelope-from jbell@stelesys.com) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.51 (FreeBSD)) id 1DZwp5-000AKf-9c; Sun, 22 May 2005 16:13:19 -0400 Received: from 24.99.220.144 (SquirrelMail authenticated user jbell@stelesys.com); by www.stelesys.com with HTTP; Sun, 22 May 2005 16:13:19 -0400 (EDT) Message-ID: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> In-Reply-To: References: Date: Sun, 22 May 2005 16:13:19 -0400 (EDT) From: "Jerry Bell" To: "John DeStefano" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 20:13:20 -0000 These attacks are almost exclusively automated, looking to install a script to launch spam runs from. They're essentially trying common username and weak password combinations - blank password, passwords the same as the user name, abc123, etc. There are four things you can do to improve the secutiy of sshd: 1. Move sshd to listen on a different port. This will not protect against a concerted attack, though. 2. Check for weak passwords. John the ripper can help out with that. pam_passwdqc(8) can help you enforce strong passwords. 3. Integrate an automated log monitoring system that looks for *successful* logins, since those are really what you're worried about anyway. This can be difficult to manage if you have a log of regular shell users. 4. Keep up-to-date with security patches and advisories. Attacking your system through password guessing is much harder than using a vulnerability in sshd or some other service. I have a security guide for FreeBSD at: http://www.syslog.org/Content-5-4.phtml Jerry http://www.syslog.org > Would someone mind briefly talking about securing FBSD systems from > such attacks, at least in a manner that's a bit more extensive and > detailed than just saying "use Snort"? I'm not a newbie to FBSD, but > I'm not a *NIX guru either. I'd really appreciate your help.