Re: [CentOS] Ideas for stopping ssh brute force attacks
nightduke wrote: > Visit offical site to grab latest OpenSSH 5.1 Great idea. Why not do that for all software on your system? And then track all security updates for yourself instead on relying on the distributor to do so? Ralph pgpnyGLWbjSiR.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Visit offical site to grab latest OpenSSH 5.1 2008/7/23 Bowie Bailey <[EMAIL PROTECTED]>: > Florin Andrei wrote: >> Bowie Bailey wrote: >> > >> > I know it's "security through obscurity" >> >> That's not necessarily a bad thing. >> >> It is bad if it's the _only_ protection. > > Right. I was just trying to head off the inevitable objections. > > Not that it worked... :) > > -- > Bowie > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Ideas for stopping ssh brute force attacks
Florin Andrei wrote: > Bowie Bailey wrote: > > > > I know it's "security through obscurity" > > That's not necessarily a bad thing. > > It is bad if it's the _only_ protection. Right. I was just trying to head off the inevitable objections. Not that it worked... :) -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bowie Bailey wrote: I know it's "security through obscurity" That's not necessarily a bad thing. It is bad if it's the _only_ protection. -- Florin Andrei http://florin.myip.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
No method is perfect, but something that seems to work ok in practice is to just move ssh to a different TCP port, and -j DROP the unused ports. Failproof? No, but it reduces the noise tremendously. If the script kiddies learn the new port (unlikely), either move it to another port, or apply one of the other methods already recommended in this thread. -- Florin Andrei http://florin.myip.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Wed, July 23, 2008 12:25, Nifty Cluster Mitch wrote: > I like 'denyhosts' as a tool to limit these attacks, other good solutions > also exist. Most distros now have 'denyhosts' as a prebuilt RPM which > is a plus IMO (+). As others remarked disable root logins. Manage the > 'su, sudo' list with care and populate the illegal user list agressivly > based on the attack list observed in the logs.Users with su, sudo > privledge should be limited to those that use sshkey login and understand > what a strong pass word is. Denyhosts has some interesting intelligence; I'm particularly pleased by the bit where it notifies me of dodgy logins (success after some failures). I also wonder what's being done to limit the denial-of-service possibilities of the "synchronization" mode. (*I* have added lines to /etc/hosts.allow to let key people in via SSH from their home and personal servers even if those addressed end up in hosts.deny.) (And there's a denyhost rpm in, hmm, I think 'rf' is the rpmforge repository for Centos.) I've been playing for years at a set of services to create firewall blocking commands based on attacks; delivery of email to spamtrap addresses, probes to closed ports, failed logins, etc. Studying the data, it looks like multiple copies of spam delivered to my host often come from different IPs, though (makes sense with botnets); that sort of information has lead me to be less aggressive about getting a system actually running. The SSH attacks I've seen currently *do* seem to come in series from the same IP, so blocking that has at least some benefit (mostly cleaning up my logs I suspect). -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote: > On Tue, July 22, 2008 09:34, Rudi Ahlers wrote: > > > By changing the ports on all our servers to a high (above 1024) port, we > > have eliminated SSH scans altogether - been running like that for a few > > years now without any problems. > . > > On the other hand, why are people so worried about SSH scans? I'm worried > about who actually gets in, not who connects to the port. Strong password > quality enforcement, or maybe requiring public-key authentication, seem > like a more useful response. For me it is signal to noise ratio. The longer the password file (valid users) the longer the list of connections and corresponding events (good and bad) that needs to be watched. Switching to another port with a large user community requires that the entire community be informed, configured and supported. I like 'denyhosts' as a tool to limit these attacks, other good solutions also exist. Most distros now have 'denyhosts' as a prebuilt RPM which is a plus IMO (+). As others remarked disable root logins. Manage the 'su, sudo' list with care and populate the illegal user list agressivly based on the attack list observed in the logs.Users with su, sudo privledge should be limited to those that use sshkey login and understand what a strong pass word is. Later, mitch (+) a prebuilt RPM does present the issue that any flaw in the prebuilt can be widely exploited. As such updates should be watched for, tested and deployed promptly. -- T o m M i t c h e l l Looking for a place to hang my hat :-( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, July 22, 2008 16:45, Les Bell wrote: > Moving sshd to a non-standard port is one of the worst examples of relying > on security by obscurity. Its only advantage is that it cuts out some > noise > in the logs, but proper precautions do that as well, without lulling you > into a false sense of security. I think you've put your finger on a key point here -- what most people really want here is a reduction in log noise. I'd suggest the best way to achieve that is to not display SSH logon failures :-). If you instead scan the *successes*, you're much more likely to actually spot any problem that occurs. -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, Jul 21, 2008 at 04:43:11PM -0400, Bo Lynch wrote: > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have attempted to ssh'd to > using weird names like admin,appuser,nobody,etc None of these are > valid users. I know that I can block sshd all together with iptables but > that will not work for us. I did a little research on google and found > programs like sshguard and sshdfilter. Just wanted to know if anyone had > any experience with anything like these programs or have any other advice. > I really appreciate it. If you have a web server on the same system, you can use php and tcp wrappers to restrict ssh inbound traffic to known systems, plus give you a back-door key to permit yourself access from arbitrary systems on the internet. http://wiki.xdroop.com/space/Linux/Limited+SSH+Access -- /\oo/\ / /()\ \ David Mackintosh | [EMAIL PROTECTED] | http://www.xdroop.com pgpzQxjyCaIJ4.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Ned Slider wrote: [snip] I don't think anyone is suggesting running SSH on a non-standard port as a sole means of defence, but rather as part of a layered approach where it is very effective in what it is designed to do - namely to vastly reduce the number of random brute-forcing attempts and concomitant noise in log files not to mention reducing the overall load on other mechanisms of defence such as firewall scripts etc. Moreover, rate limiting is not as effective as it used to be as there is now evidence that attackers are using distributed methods of attack utilizing multiple random IP addresses that circumnavigate defences that rely on attacks originating from a single IP address. Studies suggest attackers will try a handful of common account names/passwords and then move on as that's what yields the highest returns for them. We should also remember that public/private key authentication is only secure as the host the private key is stored on when keys without passphrases are employed (all too common where users don't want to trade using a password for a passphrase). If a user account gets hacked then the keys to the kingdom are there for the taking and the hacker has instant access to any SSH servers which employ public/private key authentication (without passphrases). Indeed. and with keyloggers or social eng, passphrases get stolen too. (and trojans can also connect from the same client if an agent is running). so don't trust users too much... A useful additional layer of defence, if you want it, is a daemon that will watch for port scans on the simple services ports and immediately insert a firewall rule to block that source - such as the old PortSentry, if you can find it, or some more modern equivalent. Of course, this won't do much to defend against some types of stealthy scans, such as idle time scans. one problem here is that you may block innocent clients in the case of IP spoofing. better have a daemon that establishes tcp sessions before blocking. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Ned Slider <[EMAIL PROTECTED]> wrote: >> I don't think anyone is suggesting running SSH on a non-standard port as a sole means of defence << I should hope not, but the point does bear making. >> We should also remember that public/private key authentication is only secure as the host the private key is stored on when keys without passphrases are employed (all too common where users don't want to trade using a password for a passphrase). << Another good point. This is why I strongly recommend the use of ssh-agent (or Pageant for those with a Windows desktop) as a mechanism for minimising the inconvenience of constant prompting for a strong key passphrase. Of course, this has to be coupled with awareness of the need to lock the workstation or unload the keys when leaving the desk. The other piece of the puzzle is agent forwarding, so that I only need to keep a private key on my workstation, even when logging in to a gateway machine and then to a server beyond it. They private key file is always under my local physical control - in fact, the truly paranoid can keep their private keys on a USB device or a smartcard. Using this approach, I can sit at my university office desk, provide a passphrase once when loading a key into the ssh agent, and then connect through firewalls to machines in my home office, with no further prompting or inconvenience and very low probability of the private key being compromised. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Les Bell wrote: "David Dyer-Bennet" <[EMAIL PROTECTED]> wrote: Yes, but if there are *any* ports exposed, seems like those are equally possible. << Sort of. Changing the port used by sshd stops the completely clueless script kiddies, since they don't even bother looking at anything other than port 22. Putting it way up high, among the ephemeral ports, will slow down the slightly more clueful who perform nmap scans, since nmap only scans around 1500 ports by default, and if sshd isn't running on one of those, they won't spot it. Indeed. A relatively small botnet (~500 bots) can scan the complete IPv4 address space for a single port (port 22) in 24 hours so in theory any hacker with meagre resources could map every standard SSH installation on the internet in a single day. If you run SSH on port 22 it *will* get discovered and probed. However, it won't deter the intelligent or curious attacker; these guys will scan all ports (slowly, so you may not even notice them) and they will use banner enumeration to identify the services, rather than assuming. Yes, moving SSH to a non-standard port will likely prevent the casual hacker looking for vulnerable installations but it won't protect against targeted attacks towards specific servers where a full scan is more likely to be performed. Moving sshd to a non-standard port is one of the worst examples of relying on security by obscurity. Its only advantage is that it cuts out some noise in the logs, but proper precautions do that as well, without lulling you into a false sense of security. Rate limiting, combined with enforcement of really strong passwords, or even better, public/private key authentication, is real security. I don't think anyone is suggesting running SSH on a non-standard port as a sole means of defence, but rather as part of a layered approach where it is very effective in what it is designed to do - namely to vastly reduce the number of random brute-forcing attempts and concomitant noise in log files not to mention reducing the overall load on other mechanisms of defence such as firewall scripts etc. Moreover, rate limiting is not as effective as it used to be as there is now evidence that attackers are using distributed methods of attack utilizing multiple random IP addresses that circumnavigate defences that rely on attacks originating from a single IP address. Studies suggest attackers will try a handful of common account names/passwords and then move on as that's what yields the highest returns for them. We should also remember that public/private key authentication is only secure as the host the private key is stored on when keys without passphrases are employed (all too common where users don't want to trade using a password for a passphrase). If a user account gets hacked then the keys to the kingdom are there for the taking and the hacker has instant access to any SSH servers which employ public/private key authentication (without passphrases). A useful additional layer of defence, if you want it, is a daemon that will watch for port scans on the simple services ports and immediately insert a firewall rule to block that source - such as the old PortSentry, if you can find it, or some more modern equivalent. Of course, this won't do much to defend against some types of stealthy scans, such as idle time scans. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Les Bell wrote: Sort of. Changing the port used by sshd stops the completely clueless script kiddies, since they don't even bother looking at anything other than port 22. its not even really script 'kiddies', its virus/worms that are doing the vast majority of that hammering on port 22. and the worms are even stupider than the script kiddies. ok, I suppose the script kiddies are the ones who wrote/released the worm in the first place, or whatever. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
"David Dyer-Bennet" <[EMAIL PROTECTED]> wrote: >> Yes, but if there are *any* ports exposed, seems like those are equally possible. << Sort of. Changing the port used by sshd stops the completely clueless script kiddies, since they don't even bother looking at anything other than port 22. Putting it way up high, among the ephemeral ports, will slow down the slightly more clueful who perform nmap scans, since nmap only scans around 1500 ports by default, and if sshd isn't running on one of those, they won't spot it. However, it won't deter the intelligent or curious attacker; these guys will scan all ports (slowly, so you may not even notice them) and they will use banner enumeration to identify the services, rather than assuming. Moving sshd to a non-standard port is one of the worst examples of relying on security by obscurity. Its only advantage is that it cuts out some noise in the logs, but proper precautions do that as well, without lulling you into a false sense of security. Rate limiting, combined with enforcement of really strong passwords, or even better, public/private key authentication, is real security. A useful additional layer of defence, if you want it, is a daemon that will watch for port scans on the simple services ports and immediately insert a firewall rule to block that source - such as the old PortSentry, if you can find it, or some more modern equivalent. Of course, this won't do much to defend against some types of stealthy scans, such as idle time scans. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Robert Moskowitz wrote: Rudi Ahlers wrote: [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008 16:34:54 +0200 Rudi Ahlers <[EMAIL PROTECTED]> wrote: Bowie Bailey wrote: Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. The simplest thing is to change the port. I know it's "security through obscurity", but it works well and can be used along with whatever other security enhancements you care to use. By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. I also add a small script in /etc/profile to email me when someone logs in via SSH, since only a few privileged ppl should use SSH altogether Interesting idea with this script thing. Can you provide more details or the script? ___ Yea, it's simple :) echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [EMAIL PROTECTED] OK. A chance to learn some more for me. Is there a 'best' placement for this script in /etc/profile? Is localhost.localdomain a placeholder here for foo.bar.com? ___ I put stuff like that right at the end, and localhost.localdomain is basically the server's name, from where I copied this script, so replace that with my.linux.server.com - or whatever -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Rudi Ahlers wrote: [EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008 16:34:54 +0200 Rudi Ahlers <[EMAIL PROTECTED]> wrote: Bowie Bailey wrote: Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. The simplest thing is to change the port. I know it's "security through obscurity", but it works well and can be used along with whatever other security enhancements you care to use. By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. I also add a small script in /etc/profile to email me when someone logs in via SSH, since only a few privileged ppl should use SSH altogether Interesting idea with this script thing. Can you provide more details or the script? ___ Yea, it's simple :) echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [EMAIL PROTECTED] OK. A chance to learn some more for me. Is there a 'best' placement for this script in /etc/profile? Is localhost.localdomain a placeholder here for foo.bar.com? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
[EMAIL PROTECTED] wrote: On Tue, 22 Jul 2008 16:34:54 +0200 Rudi Ahlers <[EMAIL PROTECTED]> wrote: Bowie Bailey wrote: Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. The simplest thing is to change the port. I know it's "security through obscurity", but it works well and can be used along with whatever other security enhancements you care to use. By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. I also add a small script in /etc/profile to email me when someone logs in via SSH, since only a few privileged ppl should use SSH altogether Interesting idea with this script thing. Can you provide more details or the script? ___ Yea, it's simple :) echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [EMAIL PROTECTED] -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, July 22, 2008 11:57, MHR wrote: > On Tue, Jul 22, 2008 at 8:16 AM, David Dyer-Bennet <[EMAIL PROTECTED]> wrote: >> >> The next step up from that is some form of "port knocking" scheme -- >> where >> the outsider must first attempt to connect to some particular *other* >> port >> to trigger ssh to be ready to listen on the (non-standard) SSH port. >> >> On the other hand, why are people so worried about SSH scans? I'm >> worried >> about who actually gets in, not who connects to the port. Strong >> password >> quality enforcement, or maybe requiring public-key authentication, seem >> like a more useful response. (I'm seeing a lot of failed ssh connects >> myself right now. Another system here has been blocking every /24 we >> get >> a failed connect from, with the result that they had to add a special >> rule >> to let my home systems log in! This could easily result in my being >> unable to get in from arbitrary locations in the field in an emergency, >> which seems not good.) > > You have, perhaps, heard of denial-of-service attacks? Yes, but if there are *any* ports exposed, seems like those are equally possible. For that matter, if my ports were all closed, they could still be sending enough packets up my link that I was DOSed pretty much into oblivion. -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008 at 8:16 AM, David Dyer-Bennet <[EMAIL PROTECTED]> wrote: > > The next step up from that is some form of "port knocking" scheme -- where > the outsider must first attempt to connect to some particular *other* port > to trigger ssh to be ready to listen on the (non-standard) SSH port. > > On the other hand, why are people so worried about SSH scans? I'm worried > about who actually gets in, not who connects to the port. Strong password > quality enforcement, or maybe requiring public-key authentication, seem > like a more useful response. (I'm seeing a lot of failed ssh connects > myself right now. Another system here has been blocking every /24 we get > a failed connect from, with the result that they had to add a special rule > to let my home systems log in! This could easily result in my being > unable to get in from arbitrary locations in the field in an emergency, > which seems not good.) You have, perhaps, heard of denial-of-service attacks? mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, 22 Jul 2008 16:34:54 +0200 Rudi Ahlers <[EMAIL PROTECTED]> wrote: > Bowie Bailey wrote: > > Bo Lynch wrote: > > > >> just wanted to get some feedback from the community. Over the last > >> few days I have noticed my web server and email box have attempted > >> to ssh'd to using weird names like admin,appuser,nobody,etc > >> None of these are valid users. I know that I can block sshd all > >> together with iptables but that will not work for us. I did a > >> little research on google and found programs like sshguard and > >> sshdfilter. Just wanted to know if anyone had any experience with > >> anything like these programs or have any other advice. I really > >> appreciate it. > > > > The simplest thing is to change the port. I know it's "security > > through obscurity", but it works well and can be used along with > > whatever other security enhancements you care to use. > > > > > By changing the ports on all our servers to a high (above 1024) port, > we have eliminated SSH scans altogether - been running like that for > a few years now without any problems. > > I also add a small script in /etc/profile to email me when someone > logs in via SSH, since only a few privileged ppl should use SSH > altogether > Interesting idea with this script thing. Can you provide more details or the script? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, July 22, 2008 09:34, Rudi Ahlers wrote: > By changing the ports on all our servers to a high (above 1024) port, we > have eliminated SSH scans altogether - been running like that for a few > years now without any problems. The next step up from that is some form of "port knocking" scheme -- where the outsider must first attempt to connect to some particular *other* port to trigger ssh to be ready to listen on the (non-standard) SSH port. On the other hand, why are people so worried about SSH scans? I'm worried about who actually gets in, not who connects to the port. Strong password quality enforcement, or maybe requiring public-key authentication, seem like a more useful response. (I'm seeing a lot of failed ssh connects myself right now. Another system here has been blocking every /24 we get a failed connect from, with the result that they had to add a special rule to let my home systems log in! This could easily result in my being unable to get in from arbitrary locations in the field in an emergency, which seems not good.) -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bowie Bailey wrote: Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. The simplest thing is to change the port. I know it's "security through obscurity", but it works well and can be used along with whatever other security enhancements you care to use. By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. I also add a small script in /etc/profile to email me when someone logs in via SSH, since only a few privileged ppl should use SSH altogether -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008 at 12:12 AM, Guy Boisvert <[EMAIL PROTECTED]> wrote: > Michael Gabriel wrote: >> >> just wanted to get some feedback from the community. Over the last few >> days I have noticed my web server and email box have attempted to ssh'd to >> using weird names like admin,appuser,nobody,etc None of these are >> valid users. I know that I can block sshd all together with iptables but >> that will not work for us. I did a little research on google and found >> programs like sshguard and sshdfilter. Just wanted to know if anyone had >> any experience with anything like these programs or have any other advice. >> I really appreciate it. >> > > I don't know if anybody on this list tried SPA (Single Packet > Authorization): > > http://www.linuxjournal.com/article/9565 > > > As another person mentioned earlier, the idea of using VPN is very good. > > I use pfSense and the VPN server inside gives the connecting user an address > on a virtual subnet. Each user is given a distinct fixed ip address. Then > it's easy to setup firewall rules based on what you allow the user to do. I > do 10 Mbps symmetric with a "recycled" 1U Dell PowerEdge 350 (PIII/800, 512 > Megs RAM). We do QoS (we have 1 WME Streaming Server, 1 Darwin Streaming On > Demand Server, FTP, DNS, SMTP, etc). The CPU usage is very low. I love > pfSense a lot. The only thing i struggled a little was when i tried to > authenticate the user with Active Directory (M$ IAS = RADIUS). It works but > i have yet to find a way to assign a fixed address to each user. I can do > this if i use pfSense integrated user manager (for VPN). > > In another place, i use a CentOS box as a remote gateway using SSH. I > changed the SSH Port, use DenyHost, force SSH V2 and forbid password login > (SSH Key login mandatory). I even got a VBS script for our Winblows users > that uses plink (member of the PuTTY Family) to connect, authenticate with > keys and launch RDP Terminal to connect to the Winblows Terminal Server (all > this automated). The only prompt the user has is for entering his remote > login name (the user must know it or the connection will be refused). > > I did an installer (with Nullsoft's NSIS) so allowed Winblows users can > install easily all this: The installer creates icons, protect SSH keys (NTFS > Encryption), etc... The installer is protected by a password. How do you get the keys to the server the first time after they're generated? Its kind of the chicken and an egg problem without the password authentication -- that's why I still have passwords turned on (but require __very__ strong passwords.) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Michael Gabriel wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. I don't know if anybody on this list tried SPA (Single Packet Authorization): http://www.linuxjournal.com/article/9565 As another person mentioned earlier, the idea of using VPN is very good. I use pfSense and the VPN server inside gives the connecting user an address on a virtual subnet. Each user is given a distinct fixed ip address. Then it's easy to setup firewall rules based on what you allow the user to do. I do 10 Mbps symmetric with a "recycled" 1U Dell PowerEdge 350 (PIII/800, 512 Megs RAM). We do QoS (we have 1 WME Streaming Server, 1 Darwin Streaming On Demand Server, FTP, DNS, SMTP, etc). The CPU usage is very low. I love pfSense a lot. The only thing i struggled a little was when i tried to authenticate the user with Active Directory (M$ IAS = RADIUS). It works but i have yet to find a way to assign a fixed address to each user. I can do this if i use pfSense integrated user manager (for VPN). In another place, i use a CentOS box as a remote gateway using SSH. I changed the SSH Port, use DenyHost, force SSH V2 and forbid password login (SSH Key login mandatory). I even got a VBS script for our Winblows users that uses plink (member of the PuTTY Family) to connect, authenticate with keys and launch RDP Terminal to connect to the Winblows Terminal Server (all this automated). The only prompt the user has is for entering his remote login name (the user must know it or the connection will be refused). I did an installer (with Nullsoft's NSIS) so allowed Winblows users can install easily all this: The installer creates icons, protect SSH keys (NTFS Encryption), etc... The installer is protected by a password. Hope this helped! Guy Boisvert, ing. IngTegration inc. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, Jul 21, 2008, John R Pierce wrote: > Bo Lynch wrote: >> we have been looking at implementing OpenVPN to allow access to the >> internal LAN. For a firewall, we basically have iptables with 2 nics doing >> NAT. So would the OpenVPN server live inside of our private network and >> just do some forwards with iptables on the firewall or would it be better >> to implement it with by itself with 2 nics one on the public and one on >> the private? > > openvpn uses a simple TCP socket for its transport, so sure, port > forwarding would work fine.or running it ON your firewall server, if > thats something which openvpn can run on (pfsense, any linux firewall, > etc). Actually the public interface with OpenVPN is udp by default. We have been using it for a while now with a variety of clients, Windows, Mac OS X, and other Linux boxen. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 A paranoid is a man who knows a little of what's going on. -- William S. Burroughs ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bo Lynch wrote: we have been looking at implementing OpenVPN to allow access to the internal LAN. For a firewall, we basically have iptables with 2 nics doing NAT. So would the OpenVPN server live inside of our private network and just do some forwards with iptables on the firewall or would it be better to implement it with by itself with 2 nics one on the public and one on the private? openvpn uses a simple TCP socket for its transport, so sure, port forwarding would work fine.or running it ON your firewall server, if thats something which openvpn can run on (pfsense, any linux firewall, etc). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, July 21, 2008 6:47 pm, Bill Campbell wrote: > On Tue, Jul 22, 2008, D Steward wrote: >>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote: >>> When using denyhosts, you'll want to keep your IP's in hosts.allow so >>> even if you're "banned" you can still get access. :-) >> >>Yup. >>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter >>various subnets to stay safe. :( > > If you do not allow password authentication and use good pass > phrases on your identity, the only thing really gained by > restricting on IP ranges is restricting the number of reject > messages in your log files. The fail2ban program does a nice job > of limiting the number of rejection messages in the logs. > > Another possibility is to set up OpenVPN on your system, which > authenticates on ssl certificates and works nicely even from > dynamic IPs behind NAT. Then you can ssh into the private LAN > behind your firewall via OpenVPN. > > Bill > -- > INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC > URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way > Voice: (206) 236-1676 Mercer Island, WA 98040-0820 > Fax:(206) 232-9186 > > Foreign aid might be defined as a transfer from poor people in rich > countries to rich people in poor countries -- Douglas Casey > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Bill, we have been looking at implementing OpenVPN to allow access to the internal LAN. For a firewall, we basically have iptables with 2 nics doing NAT. So would the OpenVPN server live inside of our private network and just do some forwards with iptables on the firewall or would it be better to implement it with by itself with 2 nics one on the public and one on the private? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Pfsense rules...in my humble opinion, does the job better than iptables. and like John said it can be easily configured via web. -- "It is human nature to think wisely and act in an absurd fashion." "Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
nate wrote: I don't like/use OpenBSD for anything other than firewalls. But I do think as a firewall, pf really can't be beat, the configuration for typical rules just 'flows'. IPTables by comparison is so cryptic. (speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf, and Cisco PIX, which is probably the worst of the ones I've used). while I haven't personally used this, I've heard enough good things about it from folks I know and trust that I'll stick in a mention of pfSense... pfSense is a turnkey BSD hybrid, which uses freeBSD's kernel with openBSD's pf, all wrapped up in a nice easy to use web interface (and you can still get into shell and manipulate the pf scripts directly). its optimized so it can run off as little as a 128MB flash card (CF). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. I have moved sshd to a different port number. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
D Steward wrote: > Because I don't believe a solution such as fail2ban will scale (it can't > be healthy having tens of thousands of IPs in iptables), I use denyhosts Wherever possible I use layer 2 bridging OpenBSD firewalls in front of my networks, I don't have a problem with brute force attacks but it seems it can scale to tens of thousands of IPs without a problem. I'm not sure if iptables has similar capabilities or not -- http://www.openbsd.org/faq/pf/tables.html "[..]Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses" And the pf equivilent to the iptables throttling: http://www.openbsd.org/faq/pf/filter.html An example: table persist block in quick from pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush) This does the following: * Limits the maximum number of connections per source to 100 * Rate limits the number of connections to 15 in a 5 second span * Puts the IP address of any host that breaks these limits into the table * For any offending IP addresses, flush any states created by this rule. --- I don't like/use OpenBSD for anything other than firewalls. But I do think as a firewall, pf really can't be beat, the configuration for typical rules just 'flows'. IPTables by comparison is so cryptic. (speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf, and Cisco PIX, which is probably the worst of the ones I've used). I use linux pretty much everywhere else other than firewalls. Even my preferred network gear - load balancers and switches run linux (commercial variants). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008, D Steward wrote: >On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote: >> When using denyhosts, you'll want to keep your IP's in hosts.allow so even >> if you're "banned" you can still get access. :-) > >Yup. >Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter >various subnets to stay safe. :( If you do not allow password authentication and use good pass phrases on your identity, the only thing really gained by restricting on IP ranges is restricting the number of reject messages in your log files. The fail2ban program does a nice job of limiting the number of rejection messages in the logs. Another possibility is to set up OpenVPN on your system, which authenticates on ssl certificates and works nicely even from dynamic IPs behind NAT. Then you can ssh into the private LAN behind your firewall via OpenVPN. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Foreign aid might be defined as a transfer from poor people in rich countries to rich people in poor countries -- Douglas Casey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote: > When using denyhosts, you'll want to keep your IP's in hosts.allow so even if > you're "banned" you can still get access. :-) Yup. Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter various subnets to stay safe. :( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-) Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Original Message - From: "D Steward" <[EMAIL PROTECTED]> To: "CentOS mailing list" Sent: Monday, July 21, 2008 5:05:13 PM GMT -06:00 Guadalajara / Mexico City / Monterrey Subject: Re: [CentOS] Ideas for stopping ssh brute force attacks Just one other thing: if you use a script, you need to be careful you don't accidentally ban your own IP (by entering a wrong password too many times) when accessing a remote server. :/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Provided you have ssh set up to ensure that root cannot login directly and/or keys instead of passwords must be used, you aren't in much danger of being compromised. To ensure the logs are mostly kept clean however, you need yet another solution such as changing the port, port-knocking, or a script such as fail2ban, denyhosts and blockhosts. fail2ban is a script which writes blacklisted IPs to iptables then denies them access to every service including ftp and http, not just ssh. Because I don't believe a solution such as fail2ban will scale (it can't be healthy having tens of thousands of IPs in iptables), I use denyhosts on my servers and have done so successfully for the past 12 months. Denyhosts is a script which writes blacklisted IPs to hosts.deny, preventing them from accessing ssh as well as any other service which uses tcp wrappers. It has a truly wonderful feature where you can sync your results with a central server to share IPs for banning. This means my servers now have about 12000 IPs which are permanently blacklisted. There are just two disadvantages with denyhosts: with a large number of entries in hosts.deny, there is a noticeable delay (several seconds in my case) when logging in with ssh. And you can only deny requests which use tcp wrappers. I've never used Blockhosts, but I believe it is similar to fail2ban, in that it can disallow blacklisted IPs from accessing any service, not just ssh. Just one other thing: if you use a script, you need to be careful you don't accidentally ban your own IP (by entering a wrong password too many times) when accessing a remote server. :/ Whatever, you decided to use, the more security you have, the more awkward it will be to access your own server/s. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
"Lanny Marcus" <[EMAIL PROTECTED]> wrote: >> The above link is mostly dead. The data isn't there yet. << I did a write-up on generating SSH keys on both Windows and Linux, along with some additional tips on OpenSSH configuration. It's at http://www.lesbell.com.au/Home.nsf/web/SSH+for+Server+Administration?OpenDocument if anyone needs it. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP hey, this is awesome. we're currently filtering log files looking for multiple failed connections, then adding them to iptables for a few minutes. this is much cleaner. :) thanks. -- Spiro Harvey Knossos Networks Ltd 021-295-1923www.knossos.net.nz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
"Bo Lynch" <[EMAIL PROTECTED]> wrote: >> Just wanted to know if anyone had any experience with anything like these programs or have any other advice. << No need for any add-ons. Just do two things: 1. Disable password logins. In /etc/ssh/sshd_config, add PasswordAuthentication no Now you will have to authenticate by private key, but that's always been the best idea, anyway. Now the script kiddies can bang on your system all day and they won't get anywhere. 2. If the bandwidth they're wasting continues to annoy you, then rate-limit connections to the ssh port. Using the default firewall config in /etc/sysconfig/iptables, add this: # Rate limit connections to port 22 to slow SSH brute force attacks -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m limit --limit 1/minute -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set -A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 180 --hitcount 3 -j DROP Then restart the iptables service. That'll slow them right down, if they can even figure out what's going on. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Dan Carl wrote: Just change the default port. You can also limit the allowed nocks on door with iptables, but changing the port is much eaieer. Cleans up the logs real nice. Dan I'll second that. Combining that with the SSH iptables entries to limit the number of attempts will help as well. Those two actions will, effectively, make the brute force impossible. -- Eucke ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Ideas for stopping ssh brute force attacks
Bo Lynch wrote: > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have attempted to > ssh'd to using weird names like admin,appuser,nobody,etc None of > these are valid users. I know that I can block sshd all together with > iptables but that will not work for us. I did a little research on > google and found programs like sshguard and sshdfilter. Just wanted > to know if anyone had any experience with anything like these > programs or have any other advice. I really appreciate it. The simplest thing is to change the port. I know it's "security through obscurity", but it works well and can be used along with whatever other security enhancements you care to use. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, Jul 21, 2008 at 4:08 PM, Lanny Marcus <[EMAIL PROTECTED]> wrote: > On Mon, Jul 21, 2008 at 3:43 PM, Bo Lynch <[EMAIL PROTECTED]> wrote: >> just wanted to get some feedback from the community. Over the last few >> days I have noticed my web server and email box have attempted to ssh'd to >> using weird names like admin,appuser,nobody,etc None of these are >> valid users. I know that I can block sshd all together with iptables but >> that will not work for us. I did a little research on google and found >> programs like sshguard and sshdfilter. Just wanted to know if anyone had >> any experience with anything like these programs or have any other advice. >> I really appreciate it. > > Possibly begin by not allowing root access. Don't use passwords, use keys. > > http://wiki.centos.org/TipsAndTricks/SshTips/SshKeyAuthentication The above link is mostly dead. The data isn't there yet. http://wiki.centos.org/TipsAndTricks/BecomingRoot if you can sudo into your servers, that might help. Also, use a different port. Many ways to skin a cat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. There's a page on the Wiki with a few suggestions for hardening SSH: http://wiki.centos.org/HowTos/Network/SecuringSSH There are a number of measures you can take and employing a few in combination is always a good idea. Strong passwords are a must as is disabling root logins. Firewalling and/or key-based authentication with passwords disabled are great where that is possible. Moving SSH to a non-standard port will certainly reduce your levels of background noise but doesn't necessarily make your setup inherently more secure. My personal opinion is that there is enough there to work with without having to resort to 3rd party add-ons :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, Jul 21, 2008 at 4:11 PM, Dan Carl <[EMAIL PROTECTED]> wrote: > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Behalf Of Bo Lynch > > Sent: Monday, July 21, 2008 3:43 PM > > To: centos@centos.org > > Subject: [CentOS] Ideas for stopping ssh brute force attacks > > > > > > just wanted to get some feedback from the community. Over the last few > > days I have noticed my web server and email box have attempted to ssh'd > to > > using weird names like admin,appuser,nobody,etc None of these are > > valid users. I know that I can block sshd all together with iptables but > > that will not work for us. I did a little research on google and found > > programs like sshguard and sshdfilter. Just wanted to know if anyone had > > any experience with anything like these programs or have any other > advice. > > I really appreciate it. > > > > -- > > Bo Lynch > > > Just change the default port. > You can also limit the allowed nocks on door with iptables, but changing > the > port is much eaieer. > Cleans up the logs real nice. > Dan > > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > PortKnocking - ports appear closed until the correct knock on the ports. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Ideas for stopping ssh brute force attacks
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Bo Lynch > Sent: Monday, July 21, 2008 3:43 PM > To: centos@centos.org > Subject: [CentOS] Ideas for stopping ssh brute force attacks > > > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have attempted to ssh'd to > using weird names like admin,appuser,nobody,etc None of these are > valid users. I know that I can block sshd all together with iptables but > that will not work for us. I did a little research on google and found > programs like sshguard and sshdfilter. Just wanted to know if anyone had > any experience with anything like these programs or have any other advice. > I really appreciate it. > > -- > Bo Lynch > Just change the default port. You can also limit the allowed nocks on door with iptables, but changing the port is much eaieer. Cleans up the logs real nice. Dan > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Mon, Jul 21, 2008 at 3:43 PM, Bo Lynch <[EMAIL PROTECTED]> wrote: > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have attempted to ssh'd to > using weird names like admin,appuser,nobody,etc None of these are > valid users. I know that I can block sshd all together with iptables but > that will not work for us. I did a little research on google and found > programs like sshguard and sshdfilter. Just wanted to know if anyone had > any experience with anything like these programs or have any other advice. > I really appreciate it. Possibly begin by not allowing root access. Don't use passwords, use keys. http://wiki.centos.org/TipsAndTricks/SshTips/SshKeyAuthentication ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bo Lynch wrote: just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it. Perhaps some FAQs on SSH at the CentOS wiki will help you out too. http://wiki.centos.org/HowTos/Network/SecuringSSH Regards, Max ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
easiest way with centos board tools is iptable recent module ... simply limit the amount of connections a host is allowed to the ssh port iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP limits each host to 3 connections within 5 minutes. enough to make bots stop and still not too annoying for users that mistype their password 3x3 times On Mon, Jul 21, 2008 at 10:43 PM, Bo Lynch <[EMAIL PROTECTED]> wrote: > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have attempted to ssh'd to > using weird names like admin,appuser,nobody,etc None of these are > valid users. I know that I can block sshd all together with iptables but > that will not work for us. I did a little research on google and found > programs like sshguard and sshdfilter. Just wanted to know if anyone had > any experience with anything like these programs or have any other advice. > I really appreciate it. > > -- > Bo Lynch > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Ideas for stopping ssh brute force attacks
I have been using fail2ban to limit the attacks. It works exactly as they advertise and I am happy with it. -- Andrew > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bo Lynch > Sent: Monday, July 21, 2008 2:43 PM > To: centos@centos.org > Subject: [CentOS] Ideas for stopping ssh brute force attacks > > just wanted to get some feedback from the community. Over the last few > days I have noticed my web server and email box have > attempted to ssh'd to > using weird names like admin,appuser,nobody,etc None of these are > valid users. I know that I can block sshd all together with > iptables but > that will not work for us. I did a little research on google and found > programs like sshguard and sshdfilter. Just wanted to know if > anyone had > any experience with anything like these programs or have any > other advice. > I really appreciate it. > > -- > Bo Lynch > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos