ssh security

[jdow]

From: "Will Partain" <will.partain at verilab.com>

> "jdow" <jdow at earthlink.net> writes:
> 
>> I have found, however, that a simple three line iptables addition seems
>> to work like a champ, except for filling up the log.
>>
>> ===8<---
>> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>   --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
>> $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>   --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
>> ===8<---
> 
> This is indeed a lovely approach, but has a drawback: it can't tell
> the difference between many legit SSH connections and many bogus ones.
> 
> For example, if you are getting at a Subversion repository with
> 'svn+ssh://host/repo-stuff', then whole bunches of ssh connections
> will be made in rapid succession.  You can always up the hitcount, but
> that's just a method waiting to fail (e.g. what if SVN does something
> unexpected that needs _lots_ of ssh connections).

Of course you must assess your particular needs and determine if limiting
connections this way is appropriate. I'm not sure at the moment whether
the tracking and blocking is per IP or not. If it is per IP address then
it's easy enough to drop the time out to something reasonable for a SVN
transaction but longer than no time at all. It would at least slow people
down until you can block their IP completely.

{^_^}