SSH hank attempts… bad?

Lonnie Olson fungus at aros.net
Wed Apr 12 11:28:25 MDT 2006


Justin Findlay wrote:
> On 4/11/06, Wade Preston Shearer <lists at wadeshearer.com> wrote:
>> My server can get up ~12,000 [1] failed log in attempts recorded in
>> my server's logs in one day. How much of a concern should this be? I
>> am aware of restricting shell access to certain IPs. Will that
>> restrict the handshake or will I still see the attempts in my logs?
>> Are there any ways to restrict the attempts?
> 
> What I've done: 1. Change ssh port to a random non privileged, non
> used port.  2. Use good passwords.  3. Install DenyHosts and change
> the default "protective" settings to "brutally unforgiving" as in
> after 5 tries at a password on any account real or fantastic, that
> host is denied all services for forever.

The simplest thing you can do to reduce the failed log in attempts is to 
move ssh to another port.  That is not the only thing you should do though.

As previously suggested, add several security layers to it.
Note: some suggestions cause more pain to good people than to the bad 
people.

1. Limit connecting to ssh from certain IPs or netblocks.
    a. Firewall
    b. tcpwrappers (hosts.allow/hosts.deny)
    c. or other.
2. Hide ssh
    a. move to another port
3. Limit authentication methods
    a. AllowGroups or AllowUsers see man 5 sshd_config
    b. PermitRootLogin no
    c. PasswordAuthentication no
       Note: ChallengeResponseAuthentictation should be disabled too if
       PAM is enabled.
4. Watch log entries
    a. Use an automated log watcher to block repeated failures
    b. Use logwatch or similar to alert you to important entries
5. Once authenticated limit abilities
    a. For system accounts - verfiy shell is false, nologin, or similar
    b. For real accounts
       1. Enforce good passwords
       2. Careful with sudo and su abilities.
    c. Keep system up to date to avoid privilege escalation

Each option has its merits and drawbacks, carefully evaluate and 
implement the steps that fit well in your situation.

--lonnie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3589 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20060412/68a1403a/attachment.bin 


More information about the PLUG mailing list