Date: Sat, 20 Mar 2010 19:27:44 -0600 From: "Peter" <fbsdq@peterk.org> To: "Leonidas Tsampros" <ltsampros@upnet.gr> Cc: Jamie Griffin <jamie@fantomatic.co.uk>, freebsd-questions@freebsd.org Subject: Re: securing sshd Message-ID: <45c7a5dcf32819443b68c881ddde9135.squirrel@pop.pknet.net> In-Reply-To: <87wrx69b1l.fsf@upnet.gr> References: <201003201318.o2KDIcIt001241@fix.fantomatic.co.uk> <87wrx69b1l.fsf@upnet.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
> Jamie Griffin <Jamie@fantomatic.co.uk> writes:
>
>> Hello
>>
>> I've been reading up on securing sshd after being bombarded with
>> attempted logins.
>>
>> The steps i've taken so far to make things more secure are:
>>
>> * changed the encryption method for passwords in /etc/login.conf from
>> md5 to blowfish and changed all the passwords to ridiculously obscure
>> ones (at least as obscure as I could think of).
>>
>> * changed /etc/ttys secure entries to insecure to prevent root logins on
>> the console
>>
>> (the above are not really sshd specific i know.)
>>
>> * Disabled root login by ssh in /etc/ssh/sshd_config
>>
>> * Set myself as the only user able to login by ssh
>>
>> * Disabled password logins completely, and to only allow public key
>> authentication
>>
>> * Changed the default ssh port from 22 to something much higher
>>
>> I'm the only user that will ever need to log into the machine. I
>> wondered, does this setup seem ok and are there any other methods used
>> by anyone on list that might help me to secure remote logins even
>> further?
>
> Hi,
>
> I'm using the following pf snippet in order to "protect" myself and my
> system's logs against brute force attemps on sshd:
>
> #
> # Block them all
> #
> block log quick from <bruteforce_ssh>
>
> #
> # connection rate the incoming ssh connections and fill the bruteforce
> # table
> #
> pass in log inet proto tcp from any to any port = 22 \
> flags S/SA keep state \
> (max-src-conn 10, max-src-conn-rate 5/4, \
> overload <bruteforce_ssh> flush global)
>
> For more information on how this works, take a look at pf.conf(5).
>
> I don't know if it's complete (or even good practice), but a) I think it
> works for me and b) it does not depend on a port-provided solution.
>
>> Thanks for any help.
>>
>> Jamie
On the same line, portknocking with pf:
.
..
...
# Table for allowed IPs
# [gets auto populated via portknocking]
table <portknock_ssh> persist
.
..
...
block #default block policy
# Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection
# [if not using 'synproxy', the connection is never established to
# 'overload' the rule]
# 5 attempts in 15 seconds
pass in log quick proto tcp from any to any port {1234} synproxy state \
(max-src-conn-rate 5/15, overload <portknock_ssh>)
#Allow IPs that have been 'overload'ed into the portknock_ssh table
pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh}
.
..
...
Although ssh is blocked from all except some trusted IPs, you can still
always have access, just have to knock first.
]Peter[
Then put a crontab on a per needed basis to expire all IPs in that table
that have not been referenced in 60 seconds:
* * * * * /sbin/pfctl -vt portknock_ssh -T expire 60
All established sessions will be kept alive, all new sessions will need to
portknock after the IP is cleared from table
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45c7a5dcf32819443b68c881ddde9135.squirrel>