On Mon, Jul 19, 2010 at 10:23 AM, Dave Cramer <span dir="ltr"><<a href="mailto:davec@visibleassets.com">davec@visibleassets.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Mon, Jul 19, 2010 at 10:09 AM, Khalid Baheyeldin <<a href="mailto:kb@2bits.com">kb@2bits.com</a>> wrote:<br>
> On Mon, Jul 19, 2010 at 8:37 AM, Johnny Ferguson <<a href="mailto:hyperflexed@gmail.com">hyperflexed@gmail.com</a>><br>
> wrote:<br>
>><br>
>> I'm relatively new to SSH, though I've come to love it very quickly.<br>
>><br>
>> Recently I've been seeing a lot of activity in /var/log/auth.log (of the<br>
>> sshd sort). Sometimes 5 straight hours of brute force attacks. I've<br>
>> currently only whitelisted a single user. While I feel reasonably safe and<br>
>> nothing has cracked yet, I live in constant fear of my account getting<br>
>> cracked open, at which time it would take no more than:<br>
>><br>
>> sudo rm -rf /<br>
>><br>
>> SO, just wondering what advice anyone could offer on hardening SSH. I<br>
>> might be a little paranoid, but I think it's still in the range of being<br>
>> healthy.<br>
>><br>
>> -Johnny<br>
>><br>
>> P.S. How do 2 machines determine an encryption key and communicate this to<br>
>> eachother without giving the key away? Are there any good articles on how<br>
>> SSH works and what potential vulnerabilities are?<br>
><br>
> The single most effective thing you can do to prevent these types of attacks<br>
> is run ssh on a non standard port.<br>
><br>
> This will stop these automated scans right away.<br>
><br>
> Edit your sshd config (on Debian/Ubuntu it is in /etc/ssh/sshd_config), and<br>
> change:<br>
><br>
> Port 22<br>
><br>
> To:<br>
><br>
> Port 2123<br>
><br>
> Restart ssh, and you are done.<br>
><br>
> This means that those who are logging in to your server need to specify the<br>
> new port, so instead of:<br>
><br>
> ssh <a href="mailto:myuser@example.com">myuser@example.com</a><br>
><br>
> They should use:<br>
><br>
> ssh -p2022 <a href="mailto:myuser@example.com">myuser@example.com</a><br>
><br>
> And for scp, they need to use the -P (upper case) instead.<br>
><br>
> If that gets tedious they can edit their .ssh/config file and add the port<br>
> there for each host.<br>
><br>
> Host ex<br>
> HostName <a href="http://example.com" target="_blank">example.com</a><br>
> User myuser<br>
> Port 2123<br>
><br>
> Host ex2<br>
> HostName <a href="http://test2.example.com" target="_blank">test2.example.com</a><br>
> User otheruser<br>
> Port 2123<br>
><br>
> They can now just use:<br>
><br>
> ssh ex2 or ssh ex, and ssh will fill in the port and user.<br>
><br>
><br>
<br>
</div></div>I disagree. Any security mechanism that relies on obscurity is not<br>
secure. Just harden it. It's trivial to port scan you anyway.<br>
<font color="#888888"><br>
Dave</font><br></blockquote></div><br clear="all">I should have been more explicit on this. <br><br>See my reply to John on that. Do the ssh key thing for sure, but if you want <br>to see scans stopped, run ssh on another port.<br>
-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com">2bits.com</a>, Inc.<br><a href="http://2bits.com">http://2bits.com</a><br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>