Date: Sun, 22 May 2005 15:42:28 -0500 From: Chris <racerx@makeworld.com> To: Jerry Bell <jbell@stelesys.com> Cc: John DeStefano <john.destefano@gmail.com>, freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems Message-ID: <4290EEB4.9070502@makeworld.com> In-Reply-To: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> References: <f2160e0d05052205454e6071d5@mail.gmail.com> <1368.24.99.220.144.1116792799.squirrel@24.99.220.144>
next in thread | previous in thread | raw e-mail | index | archive | help
Jerry Bell wrote: > These attacks are almost exclusively automated, looking to install a > script to launch spam runs from. They're essentially trying common > username and weak password combinations - blank password, passwords the > same as the user name, abc123, etc. There are four things you can do to > improve the secutiy of sshd: > 1. Move sshd to listen on a different port. This will not protect against > a concerted attack, though. > 2. Check for weak passwords. John the ripper can help out with that. > pam_passwdqc(8) can help you enforce strong passwords. > 3. Integrate an automated log monitoring system that looks for > *successful* logins, since those are really what you're worried about > anyway. This can be difficult to manage if you have a log of regular > shell users. > 4. Keep up-to-date with security patches and advisories. Attacking your > system through password guessing is much harder than using a vulnerability > in sshd or some other service. > > I have a security guide for FreeBSD at: > http://www.syslog.org/Content-5-4.phtml 5. (and my favorite) If running IPFW, use something like this if you don't need ssh open to the whole of the internet. narrow it down to a range of IP's you need. IE: # Allow in SFTP, SSH, and SCP from only certain public IP's ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup limit src-addr 4 What this does is allows up to 4 connects via ssh on port 22 from a specified address range (or IP or class). -- Best regards, Chris If an idea can survive a bureacratic review and be implemented, it wasn't worth doing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4290EEB4.9070502>