FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-19-2011, 04:00 PM
James McKenzie
 
Default Running ssh on unreserved ports

On 2/19/11 8:45 AM, Rick Sewill wrote:
> On Saturday, February 19, 2011 04:28:11 am Anne Wilson wrote:
>> On Saturday 19 February 2011 10:20:30 Tim wrote:
>>> On Fri, 2011-02-18 at 16:07 -0500, Alex wrote:
>>>> I'd like to move it to a higher port to avoid the normal doorknob
>>>> rattling that occurs with ssh running on a public server.
>>> Even with it on a different port, you'd probably want to implement some
>>> firewalling that auto-bans an IP after few failed attempts. That stops
>>> them from continually trying to get through.
>>>
>>> I think there was a package called fail2ban, or something similar, that
>>> did that automatically.
>> Fail2ban is easy to set up, and I've seen it stop attempts here.
>>
>> Anne
> The one time I suffered a rootkit on Linux was when someone
> used a bug in ssh to get into my system. Fortunately, for me,
> I discovered the rootkit within hours of it happening and reloaded.
>
> I am paranoid about ssh and welcome suggestions that increase my ssh
> security configuration, in particular, and overall security, in general.
Sounds like you have a good security policy. Scan often is one thing
that it appears you do as you caught the compromise of your system quickly.

No system on the Internet is totally secure, and you applied that policy
well.

James McKenzie
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-19-2011, 08:11 PM
Adrian Sevcenco
 
Default Running ssh on unreserved ports

On 02/19/2011 05:45 PM, Rick Sewill wrote:
> On Saturday, February 19, 2011 04:28:11 am Anne Wilson wrote:
>> On Saturday 19 February 2011 10:20:30 Tim wrote:
>>> On Fri, 2011-02-18 at 16:07 -0500, Alex wrote:
>>>> I'd like to move it to a higher port to avoid the normal doorknob
>>>> rattling that occurs with ssh running on a public server.
>>>
>>> Even with it on a different port, you'd probably want to implement some
>>> firewalling that auto-bans an IP after few failed attempts. That stops
>>> them from continually trying to get through.
>>>
>>> I think there was a package called fail2ban, or something similar, that
>>> did that automatically.
>>
>> Fail2ban is easy to set up, and I've seen it stop attempts here.
>>
>> Anne
>
> The one time I suffered a rootkit on Linux was when someone
> used a bug in ssh to get into my system. Fortunately, for me,
> I discovered the rootkit within hours of it happening and reloaded.
>
> I am paranoid about ssh and welcome suggestions that increase my ssh
> security configuration, in particular, and overall security, in general.
>
> Currently, for ssh on my system, I do the following:
> 1) in my /etc/ssh/sshd_config file
> a) I specify which users can use ssh (AllowUsers rsewill ...)
> b) I explicitly specified only protocol 2 could be used until that
> was the default in later versions of ssh. (Protocol 2)
> c) I switch to a non-standard port (Port ...)
> d) I do not permit root logins, (PermitRootLogin no)
> e) I ignore user known hosts (IgnoreUserKnownHosts yes)
> f) I do not permit password authentication (PasswordAuthentication no)
>
> I do not permit kerberos authentication.
>
> This leaves public key authentication.
> Please make sure the key bits are large enough, default is 2048 for RSA,
> and make sure the person, with the private key, protects the private key.
>
> 2) in iptables
> a) I whitelist the IP addresses of those I permit coming in through ssh.

http://www.cipherdyne.org/fwknop/
this way you can have DROP policy without anything open..

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 03:00 PM
Alex
 
Default Running ssh on unreserved ports

Hi,

>> I'd like to move it to a higher port to avoid the normal doorknob
>> rattling that occurs with ssh running on a public server.
>
> *Does this work for you (assumign 1234 is what you want to listen on)
> semanage port -a -t ssh_port_t -p tcp 1234

This worked great, thanks.

Alex
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 03:05 PM
Alex
 
Default Running ssh on unreserved ports

Hi,

>> Fail2ban is easy to set up, and I've seen it stop attempts here.

Everything helps, but this is one that I wouldn't really rely on, in
case the log file format for ssh changed in some way, or the script
died and it wasn't noticed.

> I am paranoid about ssh and welcome suggestions that increase my ssh
> security configuration, in particular, and overall security, in general.

All great ideas. You haven't mentioned hosts.allow/deny. Perhaps you
referencing that in your comment about googleing for China IP
addresses?

I also recently found this:

# Google Authenticator
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=1066447

This is apparently some application that somehow integrates with your
phone to authenticate you with ssh? Anyone have any success with this?

Thanks,
Alex
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 03:15 PM
Genes MailLists
 
Default Running ssh on unreserved ports

On 02/20/2011 11:05 AM, Alex wrote:

>
> I also recently found this:
>
> # Google Authenticator
> http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=1066447
>
> This is apparently some application that somehow integrates with your
> phone to authenticate you with ssh? Anyone have any success with this?
>
> Thanks,
> Alex

I thought this was more to authenticate yourself to google.com and not
to your own servers - I could be wrong however ...
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 03:28 PM
Genes MailLists
 
Default Running ssh on unreserved ports

On 02/20/2011 11:00 AM, Alex wrote:
> Hi,
>
>>> I'd like to move it to a higher port to avoid the normal doorknob
>>> rattling that occurs with ssh running on a public server.
>>
>> Does this work for you (assumign 1234 is what you want to listen on)
>> semanage port -a -t ssh_port_t -p tcp 1234
>
> This worked great, thanks.
>
> Alex


Glad to hear - I should also mention that this is very easy to do using
the selinux GUI manager as well.

Click System->Administration->Selinux Managerment

Click Network Ports

(scroll down to see ssh - on port 22 - note the ssh_port_t)

Click the Add button

Add your port with type ssh_port_t



Gene/



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 09:13 PM
Patrick Kobly
 
Default Running ssh on unreserved ports

On 2011-02-20, at 9:05 AM, "Alex" <mysqlstudent@gmail.com> wrote:

> Hi,
>
>>> Fail2ban is easy to set up, and I've seen it stop attempts here.
>
> Everything helps, but this is one that I wouldn't really rely on, in
> case the log file format for ssh changed in some way, or the script
> died and it wasn't noticed.

FWIW, I would most assuredly notice fail2ban stopping in an extremely short period of time due to the notification emails of newly jailed ips stopping.

>
>> I am paranoid about ssh and welcome suggestions that increase my ssh
>> security configuration, in particular, and overall security, in general.
>
> All great ideas. You haven't mentioned hosts.allow/deny. Perhaps you
> referencing that in your comment about googleing for China IP
> addresses?
>
> I also recently found this:
>
> # Google Authenticator
> http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=1066447
>
> This is apparently some application that somehow integrates with your
> phone to authenticate you with ssh? Anyone have any success with this?
>
> Thanks,
> Alex
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-21-2011, 11:25 AM
Anne Wilson
 
Default Running ssh on unreserved ports

On Sunday 20 February 2011 22:13:16 Patrick Kobly wrote:
> On 2011-02-20, at 9:05 AM, "Alex" <mysqlstudent@gmail.com> wrote:
> > Hi,
> >
> >>> Fail2ban is easy to set up, and I've seen it stop attempts here.
> >
> > Everything helps, but this is one that I wouldn't really rely on, in
> > case the log file format for ssh changed in some way, or the script
> > died and it wasn't noticed.
>
From the Fail2ban main page:

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log
and bans IP that makes too many password failures. It updates firewall rules
to reject the IP address.

Brute force attacks are stopped in their tracks. You configure how many
consecutive failures are allowed before blocking occurs. We all occasionally
mis-type a password or use the wrong password, but normally we only do that
once, so three or four consecutive failures are very suspect.

Anne
--
New to KDE Software? - get help from http://userbase.kde.org
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 03:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org