Tim Bowler » ssh attacks http://timothybowler.com Certified Scrum Master | Certified Scrum Practitioner | Agile Coach | Agile Practitioner Sat, 19 Dec 2009 16:14:31 +0000 en hourly 1 http://wordpress.org/?v=3.0 SSH security http://timothybowler.com/2008/08/10/ssh-security/ http://timothybowler.com/2008/08/10/ssh-security/#comments Sun, 10 Aug 2008 22:26:22 +0000 Tim Bowler http://timothybowler.com/2008/08/10/ssh-security/ Over the last few weeks the server logs, especially /var/log/messages seems to be filled with consistent ssh dictionary attacks. Of course this cannot continue, so what do you do to prevent it?

Well there are a few things:

1. Setup the firewall to handle them

2. Installing deny hosts

3. Configure your ssh daemon properly

4. Set up proper accounts for people

The methods that I deploy are points 1, 3 and 4.

Configuring SSH

In the sshd_conf do the following:

- change the port number: port 9999

- Allow no password auth: PasswordAuthentication no

- Allow public key auth: PubkeyAuthentication yes

- Only allow user accounts that belong to a group: AllowGroups groupName

By setting the above you have place a lot of restrictions on the who can access your server using ssh.

Configure your firewall iptables in linux

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 9999 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --minutes 60 --hitcount 4 --name SSH -j DROP

Finally the last thing is to configure the user accounts that can access the server. It is strongly recommended to add the users to the sudousers if they require any specialist privileges.

]]> http://timothybowler.com/2008/08/10/ssh-security/feed/ 0