[nycbug-talk] Analyzing malicious SSH login attempts
michael
lists at genoverly.net
Tue Sep 12 09:53:51 EDT 2006
http://www.securityfocus.com/infocus/1876
Analyzing malicious SSH login attempts
Christian Seifert 2006-09-11
Introduction
Malicious SSH login attempts have been appearing in some
administrators' logs for several years. This article revisits
the use of honeypots to analyze malicious SSH login attempts
and see what can be learned about this activity. The article
then offers recommendations on how to secure one's system
against these attacks.
...
Recommendations [snips]
* Use the /etc/hosts.allow and /etc/hosts.deny files...
* Install a firewall to restrict access to the SSH server...
* Restrict the SSH server to only authenticate...
* Move the listening port of the SSH server from 22...
* Use an alternate authentication method...
* disable remote access to root...
I've read Hosts.[allow|deny] can be spoofed and besides, I can not
predict where I'll be when I want to logon. Granted, I could leave a
box open somewhere to logon to, and then hop to the target with that
box as allowed.. but, what's the point? I still have a 'weak link'
according to their logic.
I am not a fan of port knocking, port shuffling, or any other port
dance moves. It would only delay an attacker a few seconds but would
wreak havoc on my muscle memory and any scripts that use scp, rsync,
forwarding, or tunnelling.
For years I used PermitRootLogin=No, but I am being swayed recently
that that is false security. I also have found it to be really
inconvenient.
Recently, I have been moving toward keys vs. passwords (it makes logons
fast and fun). But I still have lingering anxiety that once you have
my desktop, you have my local network AND my datacenter network AND
anywhere else I've dropped a key.
Maybe I should, more seriously, consider the shear hassle of skeys.
I'm curious, do NYCBUG talk subscribers consider this a "best
practices" article? Is anything misleading, wrong, missing.. or right?
I am also curious.. where do we draw the line and just *trust* our OS?
--
Michael
More information about the talk
mailing list