Re: on the remote root login in OpenSSH

Thu, 23 Nov 2006 10:47:42 -0800 

Igor Sobrado wrote:

In message <[EMAIL PROTECTED]>, Stuart Henderson writes:

On 2006/11/23 15:14, Igor Sobrado wrote:

  2. There are a lot of brute force attacks from countries like
     Korea these days.  These attacks will be less effective if
     the intruders get access to an unprivileged account (even if
     it is in the wheel group).

On a typical system, these are better blocked at the firewall.
If you need offsite SSH access from unknown IP addresses, you can
use authpf to open the ports instead, which gives you a single
point of control.


Indeed, it is possible blocking these services at the firewall
but it is not a clean answer to the problem.  I certainly would
prefer changing the behaviour of sshd on a fresh installed system
to set up a firewall with an ever-growing list of hostile machines.
On the other hand I see that, once the brute force attack ends
(usually in some hours) that machine will not contact again (these
brute force attacks are probably a part of a more general scanning
tool).  These machines have dynamic addresses and there is a small
chance to block addresses that can be used by authorized users in
the future too.


  

Some of these tools try passwords that I would not call "low-
quality ones".

      

"PasswordAuthentication no" is quite effective against this.

    


Indeed, using certificates is an excellent choice too.  I suppose
that OpenBSD currently supports using certificates stored in
removable media.  A bit hard to configure, but highly secure.
Indeed.

Cheers,
Igor.

  



I block brute force attacks using PF.  They get a small set of attempts 
before they are blocked.  Very trivial.


pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
       keep state (max-src-conn-rate 5/40, overload <scanners>)
block in log on $ext_if proto tcp from <scanners> to $ext_if port ssh


Voilla, I still have root access, with a hard to guess password, and 
people trying to brute force me are blocked.  Of course, there could be 
a "distributed" brute force attack... but how paranoid do you want to get??



I also rely on having the abiltiy to install/upgrade remotly and ssh 
into the system post install.  With root access blocked off, well...kind 
of hard!


Cheers,
Steve W.























					Reply via email to