Don Russell wrote:
Todd Zullinger wrote:
That's a good idea.... I'm the only one that needs remote access....
and my logs are always showing people "knocking at the door"
sometimes hundreds a day.
Yep, the same bastards knock on most of our doors too. :)
Yet another helpful method for stopping a lot of that is to run ssh on
a different port.
I'm not a big fan of that ... I like to use standard ports for
things... to me, changing port numbers is little more than leaving the
door key under the flower pot instead of under the mat. :-) Granted,
there are approx 65000 flowerpots to choose from. :-)
In theory, I agree with your assessment--security by obscurity is no
real security, however, in practice, if you hid your key under the
flower pot and hundreds of thousands of your neighbors hid theirs under
their mats, you've raised the ante for would be attackers (they'll
probably only get to you once they've exploited everybody else). In my
experience, a simple port move completely eliminated script kiddies
knocking on my ssh port. Another method I have successfully used is to
either use the limit or recent iptables modules. limit is easier to
use, but imposes a global limit on the rate of ssh connections--this
means each script attack will probably only get a few tries to guess
before the limit is hit--the disadvantage is this can be a DoS attack on
you getting in to your own box (this is a good time to try also running
ssh on a non-standard port with no rate limit, so you can get in when
the main port has been rate-limited). Here's an approximate iptables
recipe that may suit for limit:
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m limit
--limit 10/hour --limit-burst 3 -j ACCEPT
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -j DROP
This ruleset (if placed in the right spot on the right chain) should
rate limit ssh connections to 10/hour with a burst limit of 3 (enough
for my home machine--probably not enough if you have more than a trivial
number of users).
Here's what I like to use more, now that I seem to have figured out how
to successfully use the recent module:
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent
--update --hitcount 2 --seconds 120 --name sshers -j DROP
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent
--set --name sshers -j ACCEPT
This ruleset limits each connecting address to 2 connection attempts
every 120 seconds (or so I think--at any rate, it does seem to limit
attackers to only getting two tries--the scripts seem to give up in less
than 120 seconds).
If a would-be hacker is put off so easily as a port number change,
they are probably harmless anyway. :-)
It isn't that they are harmless so much as it is that there are too many
other easy marks to hit, and/or they are using toolkits that they don't
really understand. As long as no naive passwords are being used, or if
password authentication is disabled, they probably are harmless, even
so, however, I find the log messages to be quite annoying.
-se