[Intrusions] Locking down SSH, dictionary attacks

Remko Lodder remko at elvandar.org
Fri Mar 10 20:39:31 GMT 2006


Andrew Daviel wrote:
> 
> FYI - just got zapped by one of those SSH exhaustion scanners (again)
> 1st generation - try 4 accounts e.g. guest/guest against everyone
> 2nd generation - multiple passwords but slow, doesn't show above noise on
>   individual syslogs
> 3rd generation - who cares, let's blast! 230 tries in 3 minutes
> 
> To combat 2nd gen I poll multiple syslogs several times an hour, and any
> source going over a couple dozen failures across site is firewalled.
> 3rd gen got lucky before it was blocked a few minutes later
> 

[snip]

> 
> So, I'm wondering how to lock down SSH a bit more (on Linux, maybe
> Solaris, MacOS).
> On critical machines with few users, I have disabled password logins -
> keys only, and maybe only listen to certain addresses. And on one
> standalone machine I have set norootlogin.
> 

[snip]

> root:
> - must use keys, not password
> - must connect from 10.4.0.0
> user A:

So you make a large mistake already by allowing root logins.
If root is permitted to login, someone will find a way to
breach the security and penetrate your system with root privileges.

So please, do not allow root logins at all, use su(do) if you need
access to the root account.

This is just my minor contribution...

-- 
Kind regards,

      Remko Lodder               ** remko at elvandar.org
      FreeBSD                    ** remko at FreeBSD.org

      /* Quis custodiet ipsos custodes */



More information about the Intrusions mailing list