l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2006 Sep 21 09:52

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] security dilemma
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] security dilemma

> There are three separate things you can do to minimize the
> attackability of your accounts:
> 1) Don't allow password based ssh logins. Use ssh keys with passwords
> on the keys to log in instead.
> 2) Disable/delete all accounts which aren't in use; make sure their
> passwords are invalid.

You can also allow only a specific set of users to login using ssh in the sshd config file
The relevent line would look like:

AllowUsers user1 user3 user7

This allows you to have accounts active that you need for whatever reason, but they don't need to be logging in with ssh. If you have a lot of users that need ssh access, AllowGroups may be better for that situation.
> 3) Install fail2ban or an equivalent to automatically ban IPs for a
> period of time once they have had a certain number of failures in a
> time period.

The method I use is an iptables rule that does rate limiting for new connections on port 22.
The relevent lines from iptables-save look like:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m limit --limit 4/min --limit-burst 2 -j ACCEPT 
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT 
This generally gets scripts to give up after the first few guesses
I use logwatch on my machines and my custom ssh section currently looks like this:

6 Failed logins for invalid user from

It used to look like this

645 Failed logins for invalid user from
97 Failed logins for invalid user from
351 Failed logins for invalid user from
27 Failed logins for invalid user from

The ssh section used to be really long, so I built an extra section that summarized the output as shown above.
> 4) If you don't do #1, make sure that all of the passwords on accounts
> are not trivially guessable. Using pam's cracklib can help enforce
> this if you have multiple users.
> That being said, ssh password guessing attacks are pretty much the
> easiest type of attack to defend against; there are many other modes
> of attack which are more likely to compromise your machine.
> Don Armstrong

Someone else mentioned it also, but I will say it again, using a different port helps reduce the ammount of automated attacks that hit your system. I use both port 22, and a different higher number port. I firewall the use of port 22 to a smaller set of addresses and leave the higher port open to the world. That way I can use ssh utilities from my regular machines without having figure out whether the utility I am using uses -p or -P to select the port. Then if I am connecting from a machine I don't regularly use, I can use the higher port number to connect.
The relevent lines in sshd_config look like:

Port 22

So you just add an additional line to get sshd to listen to multiple ports

Orson Jones
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.