FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-28-2009, 02:15 AM
Daniel Dalton
 
Default ssh howto for debian?

Hi,

Does anyone know of a howto for debian describing how to setup a home
ssh server (with sshd)?

Thanks,

Daniel.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 02:27 AM
Ron Johnson
 
Default ssh howto for debian?

On 01/27/2009 09:15 PM, Daniel Dalton wrote:

Hi,

Does anyone know of a howto for debian describing how to setup a home
ssh server (with sshd)?


No need for a HOWTO (in Debian, at least).

Local host named "foo":
# apt-get install ssh

Remote system:
C: putty foo

--
Ron Johnson, Jr.
Jefferson LA USA

"I am not surprised, for we live long and are celebrated poopers."


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 10:10 AM
"thveillon.debian"
 
Default ssh howto for debian?

Daniel Dalton a écrit :
> Hi,
>
> Does anyone know of a howto for debian describing how to setup a home
> ssh server (with sshd)?
>
> Thanks,
>
> Daniel.
>
>
Hi,

While it's true that installing ssh is as simple as using aptitude, you
may find useful to know a bit more:

http://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch

If you use Putty on a windows client:

http://www.howtoforge.com/ssh_key_based_logins_putty


You can find many other tutorials regarding different aspects of the ssh
setup, this is just for the use of key based identification, search
www.howtoforge.com for more.

Tom


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 10:43 AM
Kevin Philp
 
Default ssh howto for debian?

thveillon.debian wrote:

Daniel Dalton a écrit :


Hi,

Does anyone know of a howto for debian describing how to setup a home
ssh server (with sshd)?

Thanks,

Daniel.




Hi,

While it's true that installing ssh is as simple as using aptitude, you
may find useful to know a bit more:

http://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch

If you use Putty on a windows client:

http://www.howtoforge.com/ssh_key_based_logins_putty


You can find many other tutorials regarding different aspects of the ssh
setup, this is just for the use of key based identification, search
www.howtoforge.com for more.

Tom



There are plenty of good notes, not all Debian specific but the
configuration is similar:


General setup
http://www.debianhelp.co.uk/ssh.htm
http://linuxmafia.com/pub/linux/suse-linux-internals/chapter13.html


Notes on security
https://help.ubuntu.com/community/AdvancedOpenSSH

The webmin module for SSH is very good and might help you understand
what you are doing better.


If you set up a home ssh server and expose it to the internet you will
get brute force password break in attempts so make sure you restrict who
can log in very tightly and deny root login access as a minimum. We also
block connections to our SSH port if someone connects more than a few
times in a ten minute period.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 01:35 PM
Raquel
 
Default ssh howto for debian?

On Wed, 28 Jan 2009 11:43:21 +0000
Kevin Philp <kevin@cybercolloids.net> wrote:

> If you set up a home ssh server and expose it to the internet you
> will get brute force password break in attempts so make sure you
> restrict who can log in very tightly and deny root login access as
> a minimum. We also block connections to our SSH port if someone
> connects more than a few times in a ten minute period.

A good package to install, to help with the brute force attacks is
fail2ban.

--
Raquel
http://www.byraquel.com
================================================== ==========
America did not invent human rights. In a very real sense, it is the
other way around. Human rights invented America.

--Jimmy Carter


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 02:00 PM
Kevin Philp
 
Default ssh howto for debian?

Raquel wrote:

On Wed, 28 Jan 2009 11:43:21 +0000
Kevin Philp <kevin@cybercolloids.net> wrote:



If you set up a home ssh server and expose it to the internet you
will get brute force password break in attempts so make sure you
restrict who can log in very tightly and deny root login access as
a minimum. We also block connections to our SSH port if someone
connects more than a few times in a ten minute period.



A good package to install, to help with the brute force attacks is
fail2ban.



Even easier and better add the following to your iptables firewall. This
monitors your connections to the ssh port and drops the connection if
they try more than 4 connections in 10 minutes. I have been using this
for a while - works a treat.


references at :

http://www.la-samhna.de/library/brutessh.html
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/

/sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
--update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force "
/sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
--update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
/sbin/iptables -A ssh-connection -p tcp --dport 22 -m state --state NEW
-m recent --set --name SSH -j ACCEPT




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 02:35 PM
Paul Cartwright
 
Default ssh howto for debian?

On Wed January 28 2009, Kevin Philp wrote:
> Even easier and better add the following to your iptables firewall. This
> monitors your connections to the ssh port and drops the connection if
> they try more than 4 connections in 10 minutes. I have been using this
> for a while - works a treat.
>
> references at :
>
> http://www.la-samhna.de/library/brutessh.html
> http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks
>/
>
> /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
> --update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
> --log-prefix "SSH_brute_force "

# /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m
recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j
LOG --log-prefix "SSH_brute_force "
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.


--
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 02:48 PM
Kevin Philp
 
Default ssh howto for debian?

Paul Cartwright wrote:

On Wed January 28 2009, Kevin Philp wrote:


Even easier and better add the following to your iptables firewall. This
monitors your connections to the ssh port and drops the connection if
they try more than 4 connections in 10 minutes. I have been using this
for a while - works a treat.

references at :

http://www.la-samhna.de/library/brutessh.html
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks
/

/sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
--update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force "



# /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m
recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j
LOG --log-prefix "SSH_brute_force "

Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.



Sorry wasn't clear - this was cut from our firewall script - Here is a a
longer section. It should work and give you what you need.


#!/bin/bash

###### Variables #####################################
INT=eth0
EXT=eth1
IPTABLES=/sbin/iptables

###### Flush old rules ################################
$IPTABLES -F
$IPTABLES -X

###### Set defaults ################################
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

###### Modified SSH brute force blocker with anti spoofing ##########
$IPTABLES -N ssh-connection
$IPTABLES -F ssh-connection
$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update
--seconds 600 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
"SSH_brute_force "
$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update
--seconds 600 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A ssh-connection -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH -j ACCEPT


###### Set local access on INT only ###################
$IPTABLES -N internal-connection
$IPTABLES -F internal-connection
$IPTABLES -A internal-connection -s 127.0.0.1 -i ! $EXT -j ACCEPT
$IPTABLES -A internal-connection -s 192.168.100.0/255.255.255.0 -i !
$EXT -j ACCEPT


###### Set access to related connections ###############
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT


####### Jump INPUT to filter chains
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allowed-connection
$IPTABLES -A INPUT -j internal-connection
$IPTABLES -A INPUT -j ssh-connection

###### Jump FORWARD to filter chains
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allowed-connection
$IPTABLES -A FORWARD -j internal-connection
$IPTABLES -A FORWARD -j ssh-connection









--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 03:02 PM
Paul Cartwright
 
Default ssh howto for debian?

On Wed January 28 2009, Paul Cartwright wrote:
> > references at :
> >
> > http://www.la-samhna.de/library/brutessh.html
> > http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attac
> >ks /
> >
> > /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
> > --update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
> > --log-prefix "SSH_brute_force "
>
> # /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m
> recent *--update --seconds 600 --hitcount 4 --rttl --name SSH -j
> LOG --log-prefix "SSH_brute_force "
> Bad argument `tcp'
> Try `iptables -h' or 'iptables --help' for more information.

I think I get it now..
you have to change $EXT to NEW:
/sbin/iptables -A ssh-connection -i NEW -p tcp --dport 22 -m recent


--
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-28-2009, 03:13 PM
Raquel
 
Default ssh howto for debian?

On Wed, 28 Jan 2009 15:00:37 +0000
Kevin Philp <kevin@cybercolloids.net> wrote:

> > A good package to install, to help with the brute force attacks is
> > fail2ban.
> >
>
> Even easier and better add the following to your iptables firewall.
> This monitors your connections to the ssh port and drops the
> connection if they try more than 4 connections in 10 minutes. I
> have been using this for a while - works a treat.

"Easier and better" depends on a lot of factors, including a person's
desire to edit, directly, their iptables files. Some use Shorewall
(for which there are other solutions) or another firewall creation
tool. For me, I appreciated the solutions found in fail2ban.

--
Raquel
http://www.byraquel.com
================================================== ==========
America did not invent human rights. In a very real sense, it is the
other way around. Human rights invented America.

--Jimmy Carter


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 03:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org