FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-14-2008, 09:00 PM
John K Masters
 
Default SSHD_config question

On 21:29 Thu 14 Aug , Adam Funk wrote:
> On 2008-08-14, Knapp wrote:
>
> [MaxStartups option in sshd_config]
>
> > I hope, pray, that my system has strong security at this point with ssh
> > locked down hard and Firestarter locking out most other things. Have I
> > missed anything?
>
> Change "PermitRootLogin yes" to "PermitRootLogin no". It's also a
> good idea to allow login by SSH keys only; generate a keypair using
> ssh-keygen (there are some good HOWTOs on the web) and test the key
> from a remote machine, then (after testing!) change
> "PasswordAuthentication yes" to "PasswordAuthentication no". This
> makes dictionary-based cracking impossible.
>

If you do this then make sure you have another way in for when you
delete your key. It WILL happen. I speak from experience

> If you're running it on port 22 (the default), you will get a lot of
> noise in your logs from bots trying to log in using root and common
> account names. You can stop that by running it on a high-numbered
> port. (This is security by obscurity and you should not *rely* on it,
> but it definitely reduces log noise.)
>

I use logcheck to mail me every hour and fail2ban to permanently ban
after 3 failed attempts.


--
Regards, John

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 09:05 PM
John L Fjellstad
 
Default SSHD_config question

Smoot Carl-Mitchell <smoot@tic.com> writes:

> You can do similar rate limiting with iptables on Linux systems.
> Something like:
>
> iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP

You want to do it in the opposite order.
The way you wrote it, a package will match in the first rule, and be
added to the 'recent' table.
It will then match the second rule, and be timestamp will be updated.
System will notice that the ip address was match very recently, so the
--seconds won't count. The hitcount will be 5 instead of 10 as
specified (since one package will match both rules).

If you do the --update before --set, then if the source has never been
seen before, the --update rule won't match, but the --set rule will
match. On the second and subsequent access try, the --update rule will
match

--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 10:43 PM
Smoot Carl-Mitchell
 
Default SSHD_config question

On Thu, 2008-08-14 at 23:05 +0200, John L Fjellstad wrote:
> Smoot Carl-Mitchell <smoot@tic.com> writes:
>
> > You can do similar rate limiting with iptables on Linux systems.
> > Something like:
> >
> > iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
> > iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
>
> You want to do it in the opposite order.

You are correct. Thanks!
--
Smoot Carl-Mitchell
System/Network Architect
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-15-2008, 01:30 AM
Charlie Brune
 
Default SSHD_config question

John K Masters wrote:
> On 21:29 Thu 14 Aug , Adam Funk wrote:
>
>> On 2008-08-14, Knapp wrote:
>>
>> [MaxStartups option in sshd_config]
>>
>>
>>> I hope, pray, that my system has strong security at this point with ssh
>>> locked down hard and Firestarter locking out most other things. Have I
>>> missed anything?
>>>
>> Change "PermitRootLogin yes" to "PermitRootLogin no". It's also a
>> good idea to allow login by SSH keys only; generate a keypair using
>> ssh-keygen (there are some good HOWTOs on the web) and test the key
>> from a remote machine, then (after testing!) change
>> "PasswordAuthentication yes" to "PasswordAuthentication no". This
>> makes dictionary-based cracking impossible.
>>
>>
>
> If you do this then make sure you have another way in for when you
> delete your key. It WILL happen. I speak from experience
>
>
>> If you're running it on port 22 (the default), you will get a lot of
>> noise in your logs from bots trying to log in using root and common
>> account names. You can stop that by running it on a high-numbered
>> port. (This is security by obscurity and you should not *rely* on it,
>> but it definitely reduces log noise.)
>>
>>
>
> I use logcheck to mail me every hour and fail2ban to permanently ban
> after 3 failed attempts.
>
>
>
Note that you can have more than one "port" command defined. For
example, you can use something like:
port 22
port 2221

That way, you can use port 22 inside your firewall and only open up port
2221 for remote SSH access.

You should also limit logins to specific users or groups, if you can.
For example, use something like:
allowusers fred

and only the user "fred" will be able to ssh in to your system.



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-15-2008, 11:44 AM
Adam Funk
 
Default SSHD_config question

On 2008-08-14, NoOp wrote:

>> That being said, if you use real passwords (i.e. longer than 8,
>> include at least more than one case, some numbers and punctuation -
>> definitely not something you can find in a newspaper) you are fine.
>>
>> If you look at the attempts those ssh bots are trying the passwords
>> are laughably bad. If you have a laughably bad password then you have
>> issues :-)

> Agree there... (laughably bad password attempts).

From the log dumps I've seen, they also go through lists of common
forenames as accounts.

The passwords that the bots try don't show up in the logs (of course!)
--- did you use some special honeytrap tool to see what they were?


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-15-2008, 02:26 PM
"Brian McKee"
 
Default SSHD_config question

On Fri, Aug 15, 2008 at 7:44 AM, Adam Funk <a24061@ducksburg.com> wrote:
> On 2008-08-14, NoOp wrote:
>
>>> That being said, if you use real passwords (i.e. longer than 8,
>>> include at least more than one case, some numbers and punctuation -
>>> definitely not something you can find in a newspaper) you are fine.
>>>
>>> If you look at the attempts those ssh bots are trying the passwords
>>> are laughably bad. If you have a laughably bad password then you have
>>> issues :-)
>
>> Agree there... (laughably bad password attempts).
>
> From the log dumps I've seen, they also go through lists of common
> forenames as accounts.
>
> The passwords that the bots try don't show up in the logs (of course!)
> --- did you use some special honeytrap tool to see what they were?

Over the last couple of years I've seen several articles from honeypot
admins showing the passwords tried.
It was a who's who of easily guessable passwords. Sorry I don't have
any links handy, but I'm sure Google could provide.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 01:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org