Re: able to login as root via ssh :-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Don Russell wrote:
Todd Zullinger wrote:
That's a good idea.... I'm the only one that needs remote access....
and my logs are always showing people "knocking at the door"
sometimes hundreds a day.

Yep, the same bastards knock on most of our doors too. :)

Yet another helpful method for stopping a lot of that is to run ssh on
a different port.

I'm not a big fan of that ... I like to use standard ports for things... to me, changing port numbers is little more than leaving the door key under the flower pot instead of under the mat. :-) Granted, there are approx 65000 flowerpots to choose from. :-)

In theory, I agree with your assessment--security by obscurity is no real security, however, in practice, if you hid your key under the flower pot and hundreds of thousands of your neighbors hid theirs under their mats, you've raised the ante for would be attackers (they'll probably only get to you once they've exploited everybody else). In my experience, a simple port move completely eliminated script kiddies knocking on my ssh port. Another method I have successfully used is to either use the limit or recent iptables modules. limit is easier to use, but imposes a global limit on the rate of ssh connections--this means each script attack will probably only get a few tries to guess before the limit is hit--the disadvantage is this can be a DoS attack on you getting in to your own box (this is a good time to try also running ssh on a non-standard port with no rate limit, so you can get in when the main port has been rate-limited). Here's an approximate iptables recipe that may suit for limit:

-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m limit --limit 10/hour --limit-burst 3 -j ACCEPT
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -j DROP

This ruleset (if placed in the right spot on the right chain) should rate limit ssh connections to 10/hour with a burst limit of 3 (enough for my home machine--probably not enough if you have more than a trivial number of users).

Here's what I like to use more, now that I seem to have figured out how to successfully use the recent module:

-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent --update --hitcount 2 --seconds 120 --name sshers -j DROP -A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent --set --name sshers -j ACCEPT

This ruleset limits each connecting address to 2 connection attempts every 120 seconds (or so I think--at any rate, it does seem to limit attackers to only getting two tries--the scripts seem to give up in less than 120 seconds).
If a would-be hacker is put off so easily as a port number change, they are probably harmless anyway. :-)

It isn't that they are harmless so much as it is that there are too many other easy marks to hit, and/or they are using toolkits that they don't really understand. As long as no naive passwords are being used, or if password authentication is disabled, they probably are harmless, even so, however, I find the log messages to be quite annoying.

-se


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux