Is it safe to open ssh port to world with only key based authentication?
John Summerfied
debian at herakles.homelinux.org
Fri Nov 25 22:43:33 UTC 2005
Scot L. Harris wrote:
> On Fri, 2005-11-25 at 05:19, Vijay Gill wrote:
>
>>I am working on the idea of writing a small script which will modify
>>the port of sshd every day according to some logic I will use on the
>>client side to find the port for that day. This script will run in
>>background and will do the job of modifying the config file and
>>restarting of the service automatically.
>>
>>Does that sound like even more seure idea?
>>
>>Regards from
>>Vijay Gill
>
>
> Actually that will not buy you more security. If you disable root ssh
> access, use good passwords, use keys, use ssh2 only, and restrict the
> users that are allowed to ssh to the system you have covered most of the
> items that improve your security. Changing the ssh port is generally
> not viewed as making your system more secure. It will keep the script
> kiddies from knocking on the door but any one that targets your system
> specifically will scan all ports and find that you have ssh on a
> different port.
>
> I use a different port for ssh. This keeps my log files cleaner. But
> it does not make my system any more secure. That is taken care of by
> using the other methods mentioned above for ssh.
>
> You might want to check out port knocking. Although there was an
> article posted on the web that argued that even port knocking does not
> proved any added security.
>
> Just remember that you want to keep your system just a little more
> secure than the next system. Just be careful not to make things so
> complex that you introduce a security hole.
>
> Most of the ssh scanning going on relies on people not using good
> passwords. By simply using good passwords on all accounts the risk is
> all but eliminated. It is sad how many systems out there have accounts
> with very poor passwords.
>
I have decided I only want to allow ssh from IP addresses from my
region, and have configured tcpwrappers accordingly:
mail:~# tail /etc/hosts.allow
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
sshd: 203.33. 220.235. 192.168.
If someone from an unapproved location connect, they're terminated, and
I don't get to read page after page of reports of someone enumerating
user/password combinations. If I need to connect from outside these
regions I'll take a laptop with openvpn.
This can be pretty cool too:
/etc/hosts.deny
# The PARANOID wildcard matches any host whose name does not match its
# address. You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL
false: ALL: spawn ((echo attack from %h;id -a) | \
/usr/bin/mail -s %d-%h root) &
and
summer at www:~$ cat /etc/xinetd.d/telnet
# default: off
# description: An internal xinetd service which gets the current system time
# then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002".
# This is the tcp version.
service telnet
{
disable = no
socket_type = stream
protocol = tcp
user = games
wait = no
flags = NAMEINARGS
server = /usr/sbin/tcpd
server_args = /bin/false
}
If someone connects to my telnet port I get mail, but I could instead
run iptables to block the source (and even the whole /24 network).
I could also use the same technique to implement a shoulder-tap, to
allow an ssh connexion for a few minutes after a connexion to port, say,
777.
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the fedora-list
mailing list