From owner-freebsd-questions@FreeBSD.ORG Sun May 22 20:42:37 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7227116A41C for ; Sun, 22 May 2005 20:42:37 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from makeworld.com (makeworld.com [216.201.118.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA12E43D54 for ; Sun, 22 May 2005 20:42:36 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 0C4CE60E4; Sun, 22 May 2005 15:42:36 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62379-04; Sun, 22 May 2005 15:42:31 -0500 (CDT) Received: from [216.201.118.138] (racerx.makeworld.com [216.201.118.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id BBAD360D8; Sun, 22 May 2005 15:42:28 -0500 (CDT) Message-ID: <4290EEB4.9070502@makeworld.com> Date: Sun, 22 May 2005 15:42:28 -0500 From: Chris User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050414) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jerry Bell References: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> In-Reply-To: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV 0.75.1/amavisd-new-2.3.0 (20050424) at makeworld.com - Isn't it ironic Cc: John DeStefano , freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: racerx@makeworld.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 20:42:37 -0000 Jerry Bell wrote: > These attacks are almost exclusively automated, looking to install a > script to launch spam runs from. They're essentially trying common > username and weak password combinations - blank password, passwords the > same as the user name, abc123, etc. There are four things you can do to > improve the secutiy of sshd: > 1. Move sshd to listen on a different port. This will not protect against > a concerted attack, though. > 2. Check for weak passwords. John the ripper can help out with that. > pam_passwdqc(8) can help you enforce strong passwords. > 3. Integrate an automated log monitoring system that looks for > *successful* logins, since those are really what you're worried about > anyway. This can be difficult to manage if you have a log of regular > shell users. > 4. Keep up-to-date with security patches and advisories. Attacking your > system through password guessing is much harder than using a vulnerability > in sshd or some other service. > > I have a security guide for FreeBSD at: > http://www.syslog.org/Content-5-4.phtml 5. (and my favorite) If running IPFW, use something like this if you don't need ssh open to the whole of the internet. narrow it down to a range of IP's you need. IE: # Allow in SFTP, SSH, and SCP from only certain public IP's ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup limit src-addr 4 What this does is allows up to 4 connects via ssh on port 22 from a specified address range (or IP or class). -- Best regards, Chris If an idea can survive a bureacratic review and be implemented, it wasn't worth doing.