Scot L. Harris wrote:
On Fri, 2005-11-25 at 05:19, Vijay Gill wrote:
I am working on the idea of writing a small script which will modify
the port of sshd every day according to some logic I will use on the
client side to find the port for that day. This script will run in
background and will do the job of modifying the config file and
restarting of the service automatically.
Does that sound like even more seure idea?
Regards from
Vijay Gill
Actually that will not buy you more security. If you disable root ssh
access, use good passwords, use keys, use ssh2 only, and restrict the
users that are allowed to ssh to the system you have covered most of the
items that improve your security. Changing the ssh port is generally
not viewed as making your system more secure. It will keep the script
kiddies from knocking on the door but any one that targets your system
specifically will scan all ports and find that you have ssh on a
different port.
I use a different port for ssh. This keeps my log files cleaner. But
it does not make my system any more secure. That is taken care of by
using the other methods mentioned above for ssh.
You might want to check out port knocking. Although there was an
article posted on the web that argued that even port knocking does not
proved any added security.
Just remember that you want to keep your system just a little more
secure than the next system. Just be careful not to make things so
complex that you introduce a security hole.
Most of the ssh scanning going on relies on people not using good
passwords. By simply using good passwords on all accounts the risk is
all but eliminated. It is sad how many systems out there have accounts
with very poor passwords.
I have decided I only want to allow ssh from IP addresses from my
region, and have configured tcpwrappers accordingly:
mail:~# tail /etc/hosts.allow
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
sshd: 203.33. 220.235. 192.168.
If someone from an unapproved location connect, they're terminated, and
I don't get to read page after page of reports of someone enumerating
user/password combinations. If I need to connect from outside these
regions I'll take a laptop with openvpn.
This can be pretty cool too:
/etc/hosts.deny
# The PARANOID wildcard matches any host whose name does not match its
# address. You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL
false: ALL: spawn ((echo attack from %h;id -a) | \
/usr/bin/mail -s %d-%h root) &
and
summer@www:~$ cat /etc/xinetd.d/telnet
# default: off
# description: An internal xinetd service which gets the current system time
# then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002".
# This is the tcp version.
service telnet
{
disable = no
socket_type = stream
protocol = tcp
user = games
wait = no
flags = NAMEINARGS
server = /usr/sbin/tcpd
server_args = /bin/false
}
If someone connects to my telnet port I get mail, but I could instead
run iptables to block the source (and even the whole /24 network).
I could also use the same technique to implement a shoulder-tap, to
allow an ssh connexion for a few minutes after a connexion to port, say,
777.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
