Securing SSH access

Doran L. Barton fozz at iodynamics.com
Sat Mar 29 00:08:21 MDT 2008 

Not long ago, Dave Smith proclaimed...
> In the past, I have used /etc/hosts.[deny|allow] to secure my SSH server by 
> restricting access to a limited number of IP addresses. This has worked 
> very well for me over the past 3 or 4 years, but now I need to allow access 
> to a non-enumerable set of client IP addresses, so I am considering 
> alternate methods. The first method on my list is to require key-based 
> authentication (no passwords). Secondly, I'm thinking about using an 
> alternate port (ie, 2222 instead of 22) simply to ward off automated botnet 
> logins.
>
> Does anyone see a problem with this? Any other ideas?

If you can get away with it, disable password authentication in sshd_config
(the 'PasswordAuthentication' directive) and require DSA (or RSA) keys. 

If you must allow password authentication, first make sure you do not allow
the root user to log in via SSH. This is controlled via the
'PermitRootLogin' directive in sshd_config. 

Newer versions of OpenSSH have some controls that provide some defense
against the all-evil dictionary password attack. Hopefully someone more
familiar with these controls will comment on them.

I've had a lot of luck using DenyHosts and there are plenty of lookalikes
out there as well.  DenyHosts works by populating the tcpwrappers config
files (e.g. /etc/hosts.deny), just like you've been doing, after analyzing
sshd entries in your syslog files. Other programs actually use iptables. 

DenyHosts can be found here: < http://denyhosts.sourceforge.net/ >

Because passwords are the real weakness where dictionary attacks are
concerned, not allowing them is ideal. 

I don't think much will be gained from using an alternate port as it is
trivial to scan a machine and identify any SSH ports. 

Port knocking is an option, but not one your users will appreciate as it
requires more effort on their part. Wikipedia will tell you more about
it: < http://en.wikipedia.org/wiki/Port_knocking > 

Good luck.

-- 
fozz at iodynamics.com is Doran L. "Fozz" Barton
 "Enraged cow injures farmer with axe"
    -- Headline seen in newspaper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20080329/9c875eba/attachment.pgp

More information about the PLUG mailing list