[nycbug-talk] Analyzing malicious SSH login attempts

Dru dlavigne6 at sympatico.ca
Tue Sep 12 10:33:49 EDT 2006



On Tue, 12 Sep 2006, michael wrote:

> 	Recommendations		[snips]
> 	* Use the /etc/hosts.allow and /etc/hosts.deny files...
> 	* Install a firewall to restrict access to the SSH server...
> 	* Restrict the SSH server to only authenticate...
> 	* Move the listening port of the SSH server from 22...
> 	* Use an alternate authentication method...
> 	* disable remote access to root...
>
> I've read Hosts.[allow|deny] can be spoofed and besides, I can not
> predict where I'll be when I want to logon. Granted, I could leave a
> box open somewhere to logon to, and then hop to the target with that
> box as allowed.. but, what's the point?  I still have a 'weak link'
> according to their logic.
>
> I am not a fan of port knocking, port shuffling, or any other port
> dance moves.  It would only delay an attacker a few seconds but would
> wreak havoc on my muscle memory and any scripts that use scp, rsync,
> forwarding, or tunnelling.
>
> For years I used PermitRootLogin=No, but I am being swayed recently
> that that is false security.  I also have found it to be really
> inconvenient.
>
> Recently, I have been moving toward keys vs. passwords (it makes logons
> fast and fun).  But I still have lingering anxiety that once you have
> my desktop, you have my local network AND my datacenter network AND
> anywhere else I've dropped a key.
>
> Maybe I should, more seriously, consider the shear hassle of skeys.
>
> I'm curious, do NYCBUG talk subscribers consider this a "best
> practices" article?  Is anything misleading, wrong, missing.. or right?
>
> I am also curious.. where do we draw the line and just *trust* our OS?


Here is what I do. Curious as to what works for others on the list.

- restrict users with AllowUsers 
- reduce MaxAuthTries to 3
- user overload/flush in pf to keep the logs sane

Dru



More information about the talk mailing list