Tim Alberts wrote:
So I setup ssh on a server so I could do some work from home and I
think the second I opened it every sorry monkey from around the world
has been trying every account name imaginable to get into the system.
What's a good way to deal with this?
- keep your ssh up to date.
- only enable protocol version 2
- disable root login
- create a group and only allow login to members of this group.
- the authorized users should have a strong password, if password
authentication is enabled
- better not use logins that are the same as email addresses as these
can be eaisly harvested and tried.
- use public key authentication
- depending on your situation, you can disable password authentication.
however, make sure you don't lock yourself. also, if your users need to
connect from anywhere, they can't use a key (except if they have a usb
key or the like)
- if possible, only allow access from a specific set of IPs/networks.
- "rate limit". you can use iptables recent module to catch multiple
attempts.
- "punish". you can parse your logs and add offenders to a blacklist (to
be used in iptables). denyhosts, fail2ban, ... can be used here. make
sure not to lock yourself. so always have a rule to allow access from
some trusted IP before the rule that blocks access.
- you can restrict access to IPv6, IPSec or any VPN if you can always
use these. but if you have a VPN, you may or may not need ssh.
- if you have multiple machines, consider allowing free access to only
few of these, and then use them as gateways. not very practical though.
- change the port. while this doesn't make your system more secure, your
logs will become silent. This may not be practical (need to specify the
port in scripts... etc). you can use two ports (using two Port
statements in sshd_config) and have different configurations (only allow
port 22 from specific networks for example).
- a log parser could run geoiplookup and add IPs to an iptables
blacklist if they are in a "far away" country.
- you can add a "pre-authorization" mechanism: user must do something
before trying to ssh. In these web days, a web form is both easy to
setup and use (compare this to "port knocking", SPA, ...). One problem
here is that you don't want to give the web user the ability to change
your iptables configuration without extreme care.
- configure a banner so that your users get used to see it. if they
connect and don't see your banner, they should alert you. (
Note. if your users connect with passwords from "unsafe" places,
keyloggers and the like can steal their login/password or their key file
and passphrase.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
