Date: Tue, 19 Sep 2006 18:20:48 -0400 (EDT) From: "Dan Mahoney, System Admin" <danm@prime.gushi.org> To: Erik Norgaard <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: Re: sshd brute force attempts? Message-ID: <20060919181232.L68018@prime.gushi.org> In-Reply-To: <45106397.9080206@locolomo.org> References: <20060919165400.A4380@prime.gushi.org> <45106397.9080206@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Sep 2006, Erik Norgaard wrote: > Along with some good advice. First of all: ssh is not a public service like > http or smtp where you need anyone to be able to connect. So don't let them > in the first place. It is in this case. It's a web server that allows shell usage (and encourages it, as I actually advocate the power that comes with a shell as opposed to the primitive (and less secure) interface you may get with crap utilities like cpanel, or FTP (where you're at the mercy of the featureset of your particular app). > Disable direct root login, in the article more than a third attempted to > login as root. Disable shell access for service accounts such as mysql, www > or ldap. Already being done. At this point I should mention that root has a login option whereby it can be done ONLY with publickey auth. > Use a scheme for choosing usernames that avoids common names like "james" and > avoid publishing usernames on web-sites, e-mail may differ from the username. This is somewhat unaviodable -- as I allow users to choose them. > Disable password based authentication and require ssh-keys if possible, best > if you can ensure both pasword and key based authentication. This also assumes that people password their keys, otherwise it actually *lessens* the security of a thing greatly. Most folks don't. I do wish there was some standard for forcing applications to not save passwords (other than OTP). > You may still find sshd login denied entries in your log - so what? it was > denied! This is really only a problem if the traffics saturates your > connection, or your log files grow so much that you run out of diskspace. It was denied, yes...but when it's denied for 200 different users from the same IP, it only takes one user with a weak password (and as much as I like keys, I personally prefer the passwords). I also find that since I have a nice web-enabled SSH app (as part of usermin), the key becomes sorta useless in that case. > The article also comments on moving ssh to a different port, but this causes > confusion and annoyance if you have many users and is non-standard. Doing the > other things works great, an ssh-key on a usb-keyring is great. For anyone savvy, yes. I don't assume that level of savvy. > Personally, I created a script for parsing the delegated files from the > different regional registries such as only to allow connection from EU > countries. Sounds interesting, is it public? > Since then, I get at most one attempt a week, few enough to manually look up > the ip with whois and decide if the host or network should be blocked. > > Cheers, Erik > -- <Wrin> quick, somebody tell me the moon phase please? <Dan_Wood> Wrin: Plummeting. -Undernet #reboot, 9/11/01 (day of the WTC bombing) --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060919181232.L68018>