Securing SSH

jdow jdow at earthlink.net
Wed May 24 05:13:50 UTC 2006 

Heh, and if you manage to slam that second door in haste.... I like a
door that locks for a short time in as much as I have sufficient faith
in my ability to lock my keys in the car twice in succession. I am an
organic based intelligence unit even though I try to convince some
people otherwise. Where safe matters I try to fail safe. Where being
operational matters more I try to fail operational. That's how I lived
long enough to have all these grey hairs.

{^_-}
----- Original Message ----- 
From: "Guillermo Garron" <ggarron at alketech.com>


> Yes you are right, you can get completly blocked if you missed your options... what i do 
> for this , is to have a second door. (another Linux box) to wich i can go to.. and from 
> this to the first and unblock me :)
>
> but it depends on everyone wich option to take, anyway you are right,,, mine is a little 
> bit dangerous. :)
>
> regards,
>
> Guillermo.
>
>
> jdow escribió:
>> That is NOT what I consider a comfortable idea while I am on the road,
>> guillermo. The configuration I have simply rate limits attempts. So if
>> I screw up due to a keyboard with no capslock on it that I use with my
>> laptop, I am not permanently locked out. I can wait a couple minutes
>> and get in. (I also do this with pop3s and imaps. I REALLY want to be
>> able to get in from wherever I am likely to travel. Erm, I do tend to
>> lock out parts of the world I do not expect to visit. Most of Asia is
>> now blocked in front of my little tool as I discover netblocks that
>> make the attempts. It's interesting that few if any other parts of
>> the world seem to be running attacks. For every one attempt from say
>> the US I get two dozen from Asia. I'll have to unblock Southern
>> China soon. My partner's makeing a trip there for business in the
>> near future. I also maintain a permanent hole to ONE other address
>> on the net where I have a shell account. I figure that's safe and my
>> next level backup for getting in when I have to.)
>>
>> I also trust the iptables firewall more than tcpwrappers, although I
>> keep both in the "circuit."
>>
>> {^_^}    Joanne, color me paranoid.
>> ----- Original Message ----- From: "Guillermo Garron" <ggarron at alketech.com>
>>
>>
>>> I can also recommend denyhosts
>>>
>>> yum install denyhosts
>>>
>>> when you fail n time the login via SSH your IP will be added to the /etc/hosts.deny/ 
>>> you can configure the "n" ...
>>>
>>> you can also configure it to avoid adding the IP of your office to the 
>>> /etc/hosts.deny/ even if you fail the logging, no matter how many times.
>>>
>>> This should mantain the hacker out of your system if you have a strong password for 
>>> all your users, and limit the "n"to a small number no dictionary attack should have 
>>> success.
>>>
>>> hope it helps.
>>>
>>> regards,
>>>
>>> guillermo.
>>>
>>>
>>> jdow escribió:
>>>> From: "Brian D. McGrew" <brian at visionpro.com>
>>>>
>>>>> Good morning,
>>>>>
>>>>> I'm looking to tighten up my ssh configuration.  I have to have SSH open
>>>>> on the box at home so I can get to it from the office.  I've found
>>>>> several articles on securing ssh that include deny root access and
>>>>> require 'wheel' group membership for su.
>>>>>
>>>>> Is changing the port to something non-standard a good idea?  What else
>>>>> can I do; can someone point me to a good write up on it?
>>>>
>>>> At the risk of being tendentious about it this is the trick I found
>>>> works very well:
>>>>
>>>> ===8<---
>>>> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>>>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>>>  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
>>>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>>>>  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
>>>> ===8<---
>>>>
>>>> Modify it to match your defines and names. I built my own set of rules
>>>> that have some special capabilities in them that I need. (I open a video
>>>> streaming hole when needed from another host on the system, for example.)
>>>>
>>>> What this does is prevent any site from making more than two tries in
>>>> 120 seconds. So far all attacks have been steady streams at VERY high
>>>> rates of connection attempt. They all get blocked after the first two.
>>>> Barring a cosmic accident with the right password being guessed right
>>>> off there's no chance of a break in even with ABCDefg as a password
>>>> before the Earth is engulfed by the Sun as the Sun ages. Even if they
>>>> get the 120 second rythmn going a decent password would be good just
>>>> an awesome long time. So it's not worth their efforts.
>>>>
>>>> {^_^}   Joanne
>>>>
>>>
>>> -- 
>>> fedora-list mailing list
>>> fedora-list at redhat.com
>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

More information about the fedora-list mailing list