[CentOS] Re: Ideas for stopping ssh brute force attacks
In article <[EMAIL PROTECTED]>, Michael Semcheski <[EMAIL PROTECTED]> wrote: > > How do you get the keys to the server the first time after they're > generated? Its kind of the chicken and an egg problem without the > password authentication -- that's why I still have passwords turned on > (but require __very__ strong passwords.) I start off with password authentication enabled, then scp my authorized_keys file to the server, check my keys work, and then disable passwords in sshd. Cheers Tony -- Tony Mountifield Work: [EMAIL PROTECTED] - http://www.softins.co.uk Play: [EMAIL PROTECTED] - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Ideas for stopping ssh brute force attacks
on 7-22-2008 2:45 PM Les Bell spake the following: "David Dyer-Bennet" <[EMAIL PROTECTED]> wrote: Yes, but if there are *any* ports exposed, seems like those are equally possible. << Sort of. Changing the port used by sshd stops the completely clueless script kiddies, since they don't even bother looking at anything other than port 22. Putting it way up high, among the ephemeral ports, will slow down the slightly more clueful who perform nmap scans, since nmap only scans around 1500 ports by default, and if sshd isn't running on one of those, they won't spot it. However, it won't deter the intelligent or curious attacker; these guys will scan all ports (slowly, so you may not even notice them) and they will use banner enumeration to identify the services, rather than assuming. Moving sshd to a non-standard port is one of the worst examples of relying on security by obscurity. Its only advantage is that it cuts out some noise in the logs, but proper precautions do that as well, without lulling you into a false sense of security. Rate limiting, combined with enforcement of really strong passwords, or even better, public/private key authentication, is real security. A useful additional layer of defence, if you want it, is a daemon that will watch for port scans on the simple services ports and immediately insert a firewall rule to block that source - such as the old PortSentry, if you can find it, or some more modern equivalent. Of course, this won't do much to defend against some types of stealthy scans, such as idle time scans. Portsentry is still available on sourceforge I believe. But who knows if it will still work or even compile. It was written back in the 2.2 kernel days. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Ideas for stopping ssh brute force attacks
Scott Silva <[EMAIL PROTECTED]> wrote: >> Portsentry is still available on sourceforge I believe. << Good call - http://sourceforge.net/projects/sentrytools/ shows they were uploaded back in 2003 and it looks like nothing has happened since then. There must be more modern equivalents, surely? Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Ideas for stopping ssh brute force attacks
On Wed, 23 Jul 2008 10:10:14 +1000, Les Bell wrote > Scott Silva <[EMAIL PROTECTED]> wrote: > > >> > Portsentry is still available on sourceforge I believe. > << > > Good call - http://sourceforge.net/projects/sentrytools/ shows they were > uploaded back in 2003 and it looks like nothing has happened since then. > There must be more modern equivalents, surely? I wrote a Perl daemon that I use to tail service log files. Initially it was a Postfix log scanner that looked for unknown address attempts, relay attempts, and honey pot email addresses that I embedded in my web pages. When any of these hits turned up in the mail log, the senders IP was added to the iptables rules. My goal was to cut down on spam. It helped some, but not enough to call it a complete success. But it's very modular. I started having some problems with brute force ftp attacks. Very annoying, kept filling up the log files (and my log partition) with chaff. So I wrote another module for my daemon to scan the ftp logs as well and firewall any ip that failed to log in after 10 tries (a 3 hour time out). This was very successful and now ftp crack attacks are a thing of the past. I've never had ssh problems. My ssh port rules limited it to a few known IP addresses that I may need remote access from. But my Perl daemon could be easily expanded with another module to scan for ssh attacks. Provided you've got some Perl experience and time to hack (I'm hog tied for the next while). Scott -- Registered Linux user #395249, http://counter.li.org Nothing goes to waste when Little Fish are near! (http://www.littlefish.ca) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos