Odd ssh attacks?

Charlie Brune Ubuntu at BruneWorld.com
Sat Jul 21 02:12:16 UTC 2007 

Here is how I defend against ssh attacks. My two cents. YMMV.

1. Use /etc/hosts.deny and /etc/hosts.allow (you have to use BOTH of 
them!). Put the following line in "/etc/hosts.deny":
ALL: ALL

That will stop all traffic to servers like sshd that pay attention to 
/etc/hosts.deny. How to let stuff in? See #2.

2. Use "/etc/hosts.allow" to explicitly allow traffic from IP addresses 
that you know/trust/are-willing-to-chance. You can
use something like:

sshd: 192.168.*, 71.*, 68.*

- or maybe -

sshd: all except 210.*

I think there are many many ways to specify addresses that you want to 
let in. Don't forget to specify 192.168.* if you
want to get to servers from your home network. (192.168.* works for my 
LinkSys router. Your address might be different.)

NOTE!!! Since we just "denied everything" in /etc/hosts.deny, you'll 
have to put a line in for any service that references
this table (like dovecot, rsyncd, dovecot, etc.) where you *do* want to 
let traffic in.

For me, this way is the safest. I have to explicitly allow traffic in, 
so that makes me think more about what's going on.

Yes, I've heard that iptables uses less resources than /etc/hosts.deny 
and /etc/host.allow do. My opinion is that the
syntax for using these two files is MUCH easier. For a home system, such 
as mine, the extra cycles are just a little electricity. 8-)

3. Have sshd listen on the standard port (22) ONLY for "inside" requests 
(i.e. requests NOT coming through your router). Don't open your router 
up to the Internet on port 22.

4. Have sshd ALSO listen on a non-standard port and open up your router 
on that port if you need to allow "outside" requests (i.e., requests 
that DO come from the internet through your router. (Which port to use? 
See #5).

5. In step #4, please set it up for a non-standard non-standard port. 
What I mean by that is, don't using something that's somewhat obvious, 
like port 2222, because that's what everyone uses. 8-) Pick something 
really different, BUT make sure it's not being used for something else.

Make a note of #4 and #5. By using a "non-standard non-standard" port, I 
completely eliminated attempts on my sshd server. Yay!

6. Use the "allowusers" or "allowgroups" directive in 
/etc/ssh/sshd_config to only allow logons for users or groups that you 
specify.

Please don't make me say this one.... okay... here goes... DON'T ALLOW 
ROOT TO SSH INTO YOUR SYSTEM. ssh in using another
user and then sudo to root if you need to.

7. This one is the most fun! 8-) Remove the ability to use passwords. 
Use only public key authentication. You'll have to generate a key on any 
computer that you want to allow to ssh into your system and then install 
its key on your computer with the sshd server.

You can Google for how to do this step (it's really not hard), or I'd be 
happy to post the steps (I'll have to Google again). 8-)

This one is the most fun because if you do want to leave sshd listening 
on port 22, you can watch the script kiddies banging
their heads against the wall trying to break in knowing that it's just 
not gonna happen! You'd think I'd have something better
to do, but you'd be wrong! 8-)

Sorry this is so long. Hope I don't offend you "iptables" folks. 8-)

Charlie Brune
St. Louis, MO

More information about the ubuntu-users mailing list