[kwlug-disc] Tightening up SSH
kb at 2bits.com
Mon Jul 19 10:31:56 EDT 2010
On Mon, Jul 19, 2010 at 10:23 AM, Dave Cramer <davec at visibleassets.com>wrote:
> On Mon, Jul 19, 2010 at 10:09 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> > On Mon, Jul 19, 2010 at 8:37 AM, Johnny Ferguson <hyperflexed at gmail.com>
> > wrote:
> >> I'm relatively new to SSH, though I've come to love it very quickly.
> >> Recently I've been seeing a lot of activity in /var/log/auth.log (of the
> >> sshd sort). Sometimes 5 straight hours of brute force attacks. I've
> >> currently only whitelisted a single user. While I feel reasonably safe
> >> nothing has cracked yet, I live in constant fear of my account getting
> >> cracked open, at which time it would take no more than:
> >> sudo rm -rf /
> >> SO, just wondering what advice anyone could offer on hardening SSH. I
> >> might be a little paranoid, but I think it's still in the range of being
> >> healthy.
> >> -Johnny
> >> P.S. How do 2 machines determine an encryption key and communicate this
> >> eachother without giving the key away? Are there any good articles on
> >> SSH works and what potential vulnerabilities are?
> > The single most effective thing you can do to prevent these types of
> > is run ssh on a non standard port.
> > This will stop these automated scans right away.
> > Edit your sshd config (on Debian/Ubuntu it is in /etc/ssh/sshd_config),
> > change:
> > Port 22
> > To:
> > Port 2123
> > Restart ssh, and you are done.
> > This means that those who are logging in to your server need to specify
> > new port, so instead of:
> > ssh myuser at example.com
> > They should use:
> > ssh -p2022 myuser at example.com
> > And for scp, they need to use the -P (upper case) instead.
> > If that gets tedious they can edit their .ssh/config file and add the
> > there for each host.
> > Host ex
> > HostName example.com
> > User myuser
> > Port 2123
> > Host ex2
> > HostName test2.example.com
> > User otheruser
> > Port 2123
> > They can now just use:
> > ssh ex2 or ssh ex, and ssh will fill in the port and user.
> I disagree. Any security mechanism that relies on obscurity is not
> secure. Just harden it. It's trivial to port scan you anyway.
I should have been more explicit on this.
See my reply to John on that. Do the ssh key thing for sure, but if you want
to see scans stopped, run ssh on another port.
Khalid M. Baheyeldin
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kwlug-disc