[vox] security dilemma

Orson Jones orsonjones at runbox.com
Thu Sep 21 08:42:57 PDT 2006 

<snip>
> There are three separate things you can do to minimize the
> attackability of your accounts:
> 
> 1) Don't allow password based ssh logins. Use ssh keys with passwords
> on the keys to log in instead.
> 
> 2) Disable/delete all accounts which aren't in use; make sure their
> passwords are invalid.

You can also allow only a specific set of users to login using ssh in the sshd config file
The relevent line would look like:

AllowUsers user1 user3 user7

This allows you to have accounts active that you need for whatever reason, but they don't need to be logging in with ssh. If you have a lot of users that need ssh access, AllowGroups may be better for that situation.
 
> 3) Install fail2ban or an equivalent to automatically ban IPs for a
> period of time once they have had a certain number of failures in a
> time period.

The method I use is an iptables rule that does rate limiting for new connections on port 22.
The relevent lines from iptables-save look like:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m limit --limit 4/min --limit-burst 2 -j ACCEPT 
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT 
This generally gets scripts to give up after the first few guesses
I use logwatch on my machines and my custom ssh section currently looks like this:

6 Failed logins for invalid user from 61.185.242.207

It used to look like this

645 Failed logins for invalid user from 64.62.191.70
97 Failed logins for invalid user from 202.16.201.208
351 Failed logins for invalid user from 203.204.128.162
27 Failed logins for invalid user from 210.73.128.152

The ssh section used to be really long, so I built an extra section that summarized the output as shown above.
 
> 4) If you don't do #1, make sure that all of the passwords on accounts
> are not trivially guessable. Using pam's cracklib can help enforce
> this if you have multiple users.
> 
> That being said, ssh password guessing attacks are pretty much the
> easiest type of attack to defend against; there are many other modes
> of attack which are more likely to compromise your machine.
> 
> 
> Don Armstrong

Someone else mentioned it also, but I will say it again, using a different port helps reduce the ammount of automated attacks that hit your system. I use both port 22, and a different higher number port. I firewall the use of port 22 to a smaller set of addresses and leave the higher port open to the world. That way I can use ssh utilities from my regular machines without having figure out whether the utility I am using uses -p or -P to select the port. Then if I am connecting from a machine I don't regularly use, I can use the higher port number to connect.
The relevent lines in sshd_config look like:

Port 22
Port XXXXX

So you just add an additional line to get sshd to listen to multiple ports

Orson Jones

More information about the vox mailing list