Date: Sat, 20 Mar 2010 16:32:28 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: freebsd-questions@freebsd.org Subject: Re: securing sshd Message-ID: <4BA4EA8C.3090702@locolomo.org> In-Reply-To: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> References: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20/03/10 14:18, Jamie Griffin wrote: > I've been reading up on securing sshd after being bombarded with attempted logins. Hi! First step to ssh security is: Don't panic! Take your time to read the logs and understand what's going on. So, you've got bombarded with login attempts, but they failed. Just because there is some log entry doesn't mean you have to act on it. I recall reading an analysis of this kind of brute force attacks on securityfocus.com. These brute force attacks are pretty harmless if you've got basic security in place. This was also discussed on the list two weeks ago, check the archives. > * Disabled root login by ssh in /etc/ssh/sshd_config Good, if you read the logs you will see that about 50% of the attempts are against the root account. > * Set myself as the only user able to login by ssh Good, if you read the logs you will see that about 40% of the attempts are against standard unix accounts, and guest. The remaining are against randomly generated user names usually based on common names (john, smith, etc) you can get this statistic from your logs. > * Disabled password logins completely, and to only allow public key authentication This seems good for security, but not always practical. Now you have to walk around with a USB or have keys on your laptop and if you loose the USB or the laptop gets stolen you can't get access. Worse, you can't revoke the keys till you get back home. > * Changed the default ssh port from 22 to something much higher Number is irrelevant and I discourage this. If you ever find yourself behind somebody else's firewall, if access is enabled it is enabled for the default port. > I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Since you're the only one on that system, you know where you're going to connect from, at least roughly. Why allow connections from anywhere? Restrict the client access to certain ranges of IPs. The different registries publish ip ranges assigned per country and you can create a list blocking countries you are certain not to visit, you can use my script: http://www.locolomo.org/pub/src/toolbox/inet.pl The last things I can think of is not to have your user name as in your mail address, not have mail password as your unix account password and remember to password protect your ssh keys. Run other services such as mail, http, dns etc. in jails - if possible separate jails. All this all depends on your paranoia. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BA4EA8C.3090702>