SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)

Matthias Saou thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Tue Mar 20 10:31:11 UTC 2007 

Nicolas Mailhot wrote :

> >> At least ssh rate-limiting should be in the default firewall install.
> >
> > That'll just delay the problem.
> 
> For casual brute-force attacks it will solve the problem, but it's true
> firewall-level blacklisting is prone to DOSing (as opposed to pam-level
> blacklisting that knows about "users")

If you want to "protect" your ssh access, this is a slick solution I
really like. A pure iptables based port knocking! Example :

-A INPUT -j SSH-KNOCK

-A SSH-KNOCK -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--rcheck --name SSH1 --rsource -j ACCEPT
-A SSH-KNOCK -p tcp -m state --state NEW -m tcp -m recent --remove
--name SSH1 --rsource -j DROP
-A SSH-KNOCK -p tcp -m state --state NEW -m tcp --dport 5678 -m recent
--rcheck --name SSH0 --rsource -j SSH-INPUT
-A SSH-KNOCK -p tcp -m state --state NEW -m tcp -m recent --remove
--name SSH0 --rsource -j DROP
-A SSH-KNOCK -p tcp -m state --state NEW -m tcp --dport 1234 -m recent
--set --name SSH0 --rsource -j DROP

-A SSH-INPUT -m recent --set --name SSH1 --rsource -j DROP

Simply telnet to port 1234, stop it, telnet to 5678, stop it, and you
can ssh in from your local IP address ("recent" is amazing!). Once
you're done, telnet to any closed port other than 5678 and you won't be
able to go in anymore, but your established connections won't be closed
as long as you've set an ESTABLISHED state to ACCEPT somewhere
above. You can also whitelist some networks to your ssh port before
this trick, just in case. Note that you also need to set DROP as your
INPUT policy.

I'm *NOT* saying I want this by default in Fedora, I don't. I'm just
suggesting this as a real world working solution for those who
currently use blacklists, denyhosts, pam modules etc. to protect
themselves against brute force attacks. Nothing will ever beat a non
answering ssh port to get attackers to move on ;-)

(Sorry for this OT post, but I thought it might be useful)

Matthias

-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora Core release 6 (Zod) - Linux kernel 2.6.19-1.2911.6.5.fc6
Load : 1.18 1.10 0.89

More information about the fedora-devel-list mailing list