SSHD & security

[flupke]

the below attached log is known by each of us, me question is: what can I do to increase security at the SSHD level?

can't I setup SSHD to ban an IP address after a a given number of failed misidentification? Would be so easy to implement



------




Jul 21 20:27:22 host1 sshd[8155]: Failed password for invalid user wwwdata from
68.255.14.252 port 3715 ssh2
Jul 21 20:27:23 host1 sshd[8160]: Invalid user user from 68.255.14.252
Jul 21 20:27:25 host1 sshd[8160]: Failed password for invalid user user from 68.
255.14.252 port 4920 ssh2
Jul 21 20:27:28 host1 sshd[8165]: Invalid user user1 from 68.255.14.252
Jul 21 20:27:30 host1 sshd[8165]: Failed password for invalid user user1 from 68
.255.14.252 port 2156 ssh2
Jul 21 20:27:31 host1 sshd[8170]: Invalid user user from 68.255.14.252
Jul 21 20:27:34 host1 sshd[8170]: Failed password for invalid user user from 68.
255.14.252 port 4106 ssh2
Jul 21 20:27:35 host1 sshd[8176]: Invalid user user from 68.255.14.252
Jul 21 20:27:37 host1 sshd[8176]: Failed password for invalid user user from 68.
255.14.252 port 1535 ssh2
Jul 21 20:27:38 host1 sshd[8182]: Invalid user user1 from 68.255.14.252
Jul 21 20:27:41 host1 sshd[8182]: Failed password for invalid user user1 from 68
.255.14.252 port 2719 ssh2
Jul 21 20:27:42 host1 sshd[8187]: Invalid user user1 from 68.255.14.252
Jul 21 20:27:44 host1 sshd[8187]: Failed password for invalid user user1 from 68
.255.14.252 port 3659 ssh2
Jul 21 20:27:46 host1 sshd[9217]: Invalid user www from 68.255.14.252
Jul 21 20:27:48 host1 sshd[9217]: Failed password for invalid user www from 68.2
55.14.252 port 4871 ssh2
Jul 21 20:27:49 host1 xinetd[24281]: START: smtp pid=9227 from=70.58.173.162

 

[flupke]

I disabled root login as a first measure.

next step will be to configure ip tables to close connection after a few trial

 

[breun]

Install something like Fail2Ban or DenyHosts.

You can limit which IP addresses can access SSH using the firewall or sshd config (if you only access your server from a few static addressess for instance).

You can setup public key authentication and then disable PasswordAuthentication so password attacks are completely useless. Remember that the Migration Manager needs to be able to access SSH using a password, so you'll need to re-enable PasswordAuthentication temporarily when you want to use that.

 

[Amin Taheri]

I would recomend something other then those two myself, but a lot of people swear by those so its really your preference.

Some people like to use APF and BFD together to monitor their firewall and login failures.

I personally use http://www.configserver.com/cp/csf.html and so far its been working pretty well - better then APF and BFD at least.

To secure SSH I would enable protocol 2 only (disable protocol 1), disable direct root access (Make sure you have a wheel group user setup first), and put it on a non standard port (some argue this is useless at stopping an attacker as any port scan will find the new port).

Then you will need to whitelist your static IP (or class C block ) as well as the servers IPs and any gateways your server uses in case an attacker tries to spoof your gateway IP for the attacking host so you dont block yourself out.

You can also turn on nospoof in your hosts file to help with that, but it wont solve it on its own if the attacker is good.

just to name a few things.

 

[flupke]

thks to all, I disabled root login, I created a username for the only purpose to SU my box, I removed SSH 1, only 2 supported, increasing timeout for retral is also a good idea.

I would also add IPTABLES rules to the protection list.


QUESTION: ever heard about solution like tipping point?

 

[Amin Taheri]

yeah those cant hurt either - well thats not true, poorly configured the tipping point can take down your entire network frequently, I've seen it happen in some of my old jobs with people who pretend to know how to configure it

 

[atomicturtle]

I know tippingpoint very well, its a great IDS, just really really expensive (around 75K per sensor). Much more useful as a network IDS in my opinion. For web environments, mod_security and ossec would be my first two picks (and what I use in ASL). You've got much more refined control.

Id also recommend looking into using SSH keys to authenticate, and turning off password auth (this would eliminate the threat of brute force attacks completely).

Personally, Im not a big fan of using alternate ports for ssh, although its certainly good for cutting down on the noise. I kind of like to see who is hitting ssh and what they're trying to do, but thats just me. Plus you can use that information in other directions, like creating global IP blocks, or sharing the data (a la denyhosts) with other people.