Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Mar 2010 16:32:28 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: securing sshd
Message-ID:  <4BA4EA8C.3090702@locolomo.org>
In-Reply-To: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk>
References:  <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On 20/03/10 14:18, Jamie Griffin wrote:

> I've been reading up on securing sshd after being bombarded with attempted logins.

Hi!

First step to ssh security is: Don't panic! Take your time to read the 
logs and understand what's going on. So, you've got bombarded with login 
attempts, but they failed. Just because there is some log entry doesn't 
mean you have to act on it.

I recall reading an analysis of this kind of brute force attacks on 
securityfocus.com. These brute force attacks are pretty harmless if 
you've got basic security in place.

This was also discussed on the list two weeks ago, check the archives.

> * Disabled root login by ssh in /etc/ssh/sshd_config

Good, if you read the logs you will see that about 50% of the attempts 
are against the root account.

> * Set myself as the only user able to login by ssh

Good, if you read the logs you will see that about 40% of the attempts 
are against standard unix accounts, and guest. The remaining are against 
randomly generated user names usually based on common names (john, 
smith, etc) you can get this statistic from your logs.

> * Disabled password logins completely, and to only allow public key authentication

This seems good for security, but not always practical. Now you have to 
walk around with a USB or have keys on your laptop and if you loose the 
USB or the laptop gets stolen you can't get access. Worse, you can't 
revoke the keys till you get back home.

> * Changed the default ssh port from 22 to something much higher

Number is irrelevant and I discourage this. If you ever find yourself 
behind somebody else's firewall, if access is enabled it is enabled for 
the default port.

> I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further?

Since you're the only one on that system, you know where you're going to 
connect from, at least roughly. Why allow connections from anywhere?

Restrict the client access to certain ranges of IPs. The different 
registries publish ip ranges assigned per country and you can create a 
list blocking countries you are certain not to visit, you can use my script:

     http://www.locolomo.org/pub/src/toolbox/inet.pl

The last things I can think of is not to have your user name as in your 
mail address, not have mail password as your unix account password and 
remember to password protect your ssh keys. Run other services such as 
mail, http, dns etc. in jails - if possible separate jails. All this all 
depends on your paranoia.

BR, Erik
-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BA4EA8C.3090702>