Securing SSH

Wed May 24 16:21:24 UTC 2006

Another option:
http://www.hexten.net/pam_abl/

Provides auto blacklisting of hosts and users responsible for repeated 
failed authentication attempts. Generally configured so that blacklisted 
users still see normal login prompts but are guaranteed to fail to 
authenticate.

Guillermo Garron wrote:
> I can also recommend denyhosts
> 
> yum install denyhosts
> 
> when you fail n time the login via SSH your IP will be added to the 
> /etc/hosts.deny/ you can configure the "n" ...
> 
> you can also configure it to avoid adding the IP of your office to the 
> /etc/hosts.deny/ even if you fail the logging, no matter how many times.
> 
> This should mantain the hacker out of your system if you have a strong 
> password for all your users, and limit the "n"to a small number no 
> dictionary attack should have success.
> 
> hope it helps.
> 
> regards,
> 
> guillermo.
> 
> 
> jdow escribió:
>> From: "Brian D. McGrew" <brian at visionpro.com>
>>
>>> Good morning,
>>>
>>> I'm looking to tighten up my ssh configuration.  I have to have SSH open
>>> on the box at home so I can get to it from the office.  I've found
>>> several articles on securing ssh that include deny root access and
>>> require 'wheel' group membership for su.
>>>
>>> Is changing the port to something non-standard a good idea?  What else
>>> can I do; can someone point me to a good write up on it?
>>
>> At the risk of being tendentious about it this is the trick I found
>> works very well:
>>
>> ===8<---
>> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack 
>> --set
>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
>> ===8<---
>>
>> Modify it to match your defines and names. I built my own set of rules
>> that have some special capabilities in them that I need. (I open a video
>> streaming hole when needed from another host on the system, for example.)
>>
>> What this does is prevent any site from making more than two tries in
>> 120 seconds. So far all attacks have been steady streams at VERY high
>> rates of connection attempt. They all get blocked after the first two.
>> Barring a cosmic accident with the right password being guessed right
>> off there's no chance of a break in even with ABCDefg as a password
>> before the Earth is engulfed by the Sun as the Sun ages. Even if they
>> get the 120 second rythmn going a decent password would be good just
>> an awesome long time. So it's not worth their efforts.
>>
>> {^_^}   Joanne
>>
> 

-- 
This email message is for the sole use of the intended recipient(s) and
may contain confidential information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.