Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 May 2005 15:42:28 -0500
From:      Chris <racerx@makeworld.com>
To:        Jerry Bell <jbell@stelesys.com>
Cc:        John DeStefano <john.destefano@gmail.com>, freebsd-questions@freebsd.org
Subject:   Re: securing SSH, FBSD systems
Message-ID:  <4290EEB4.9070502@makeworld.com>
In-Reply-To: <1368.24.99.220.144.1116792799.squirrel@24.99.220.144>
References:  <f2160e0d05052205454e6071d5@mail.gmail.com> <1368.24.99.220.144.1116792799.squirrel@24.99.220.144>

next in thread | previous in thread | raw e-mail | index | archive | help
Jerry Bell wrote:
> These attacks are almost exclusively automated, looking to install a
> script to launch spam runs from.  They're essentially trying common
> username and weak password combinations - blank password, passwords the
> same as the user name, abc123, etc.  There are four things you can do to
> improve the secutiy of sshd:
> 1. Move sshd to listen on a different port.  This will not protect against
> a concerted attack, though.
> 2. Check for weak passwords.  John the ripper can help out with that. 
> pam_passwdqc(8) can help you enforce strong passwords.
> 3. Integrate an automated log monitoring system that looks for
> *successful* logins, since those are really what you're worried about
> anyway.  This can be difficult to manage if you have a log of regular
> shell users.
> 4. Keep up-to-date with security patches and advisories.  Attacking your
> system through password guessing is much harder than using a vulnerability
> in sshd or some other service.
> 
> I have a security guide for FreeBSD at:
> http://www.syslog.org/Content-5-4.phtml

5. (and my favorite) If running IPFW, use something like this if you
don't need ssh open to the whole of the internet. narrow it down to a
range of IP's you need.

IE:
# Allow in SFTP, SSH, and SCP from only certain public IP's
${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup
limit src-addr 4

What this does is allows up to 4 connects via ssh on port 22 from a
specified address range (or IP or class).



-- 
Best regards,
Chris

If an idea can survive a bureacratic review and be
implemented, it wasn't worth doing.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4290EEB4.9070502>