| View previous topic :: View next topic |
| Author |
Message |
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
 Posted: Wed Mar 24, 2010 4:42 pm Post subject: ssh getting attacked |
 |
|
Someone is attacking my ssh server. What do you use to block/filter those attacks? Programs like DenyHosts exist.
_________________
cya |
|
| Back to top |
|
 |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10763
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Mar 24, 2010 4:46 pm Post subject: |
|
|
I've taken two steps:- Installed net-analyzer/fail2ban.
- Configured my sshd to disallow password authentication. I use RSA authentication instead.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Mike Hunt
Watchman
Joined: 19 Jul 2009
Posts: 5287
|
| Posted: Wed Mar 24, 2010 5:13 pm Post subject: |
|
|
Another way to go is use an unused, non-standard port for ssh. Check /etc/services.
To do that change the Port settings in /etc/ssh/sshd_config and /etc/ssh/ssh_config,
then restart the ssh server.
Another way is to disable port 22 temporarily after repeated hits from the same source, to do that edit your iptables config like this: | Code: | iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset |
For this you will need to enable <*> "recent" match support and <*> "state" match support in your kernel Core Netfilter Configuration under Network packet filtering framework (Netfilter) under Networking options under Networking support in menuconfig
and rebuild the kernel in the usual way. |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Wed Mar 24, 2010 5:16 pm Post subject: |
|
|
| john_r_graham wrote: | I've taken two steps:- Installed net-analyzer/fail2ban.
- Configured my sshd to disallow password authentication. I use RSA authentication instead.
- John |
I saw fail2ban as well. Not sure if it is better than DenyHosts. This one page had a list of all different kind of programs.
_________________
cya |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Wed Mar 24, 2010 5:17 pm Post subject: |
|
|
| Mike Hunt wrote: | Another way to go is use an unused, non-standard port for ssh. Check /etc/services.
To do that change the Port settings in /etc/ssh/sshd_config and /etc/ssh/ssh_config,
then restart the ssh server.
Another way is to disable port 22 temporarily after repeated hits from the same source, to do that edit your iptables config like this: | Code: | iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset |
For this you will need to enable <*> "recent" match support and <*> "state" match support in your kernel Core Netfilter Configuration under Network packet filtering framework (Netfilter) under Networking options under Networking support in menuconfig
and rebuild the kernel in the usual way. |
That's some good stuff. I will put that in place later.
_________________
cya |
|
| Back to top |
|
|
|
Networking & Security
