1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SSHD & security

Discussion in 'Plesk for Linux - 8.x and Older' started by flupke, Jul 21, 2007.

  1. flupke

    flupke Guest

    0
     
    the below attached log is known by each of us, me question is: what can I do to increase security at the SSHD level?

    can't I setup SSHD to ban an IP address after a a given number of failed misidentification? Would be so easy to implement



    ------




    Jul 21 20:27:22 host1 sshd[8155]: Failed password for invalid user wwwdata from
    68.255.14.252 port 3715 ssh2
    Jul 21 20:27:23 host1 sshd[8160]: Invalid user user from 68.255.14.252
    Jul 21 20:27:25 host1 sshd[8160]: Failed password for invalid user user from 68.
    255.14.252 port 4920 ssh2
    Jul 21 20:27:28 host1 sshd[8165]: Invalid user user1 from 68.255.14.252
    Jul 21 20:27:30 host1 sshd[8165]: Failed password for invalid user user1 from 68
    .255.14.252 port 2156 ssh2
    Jul 21 20:27:31 host1 sshd[8170]: Invalid user user from 68.255.14.252
    Jul 21 20:27:34 host1 sshd[8170]: Failed password for invalid user user from 68.
    255.14.252 port 4106 ssh2
    Jul 21 20:27:35 host1 sshd[8176]: Invalid user user from 68.255.14.252
    Jul 21 20:27:37 host1 sshd[8176]: Failed password for invalid user user from 68.
    255.14.252 port 1535 ssh2
    Jul 21 20:27:38 host1 sshd[8182]: Invalid user user1 from 68.255.14.252
    Jul 21 20:27:41 host1 sshd[8182]: Failed password for invalid user user1 from 68
    .255.14.252 port 2719 ssh2
    Jul 21 20:27:42 host1 sshd[8187]: Invalid user user1 from 68.255.14.252
    Jul 21 20:27:44 host1 sshd[8187]: Failed password for invalid user user1 from 68
    .255.14.252 port 3659 ssh2
    Jul 21 20:27:46 host1 sshd[9217]: Invalid user www from 68.255.14.252
    Jul 21 20:27:48 host1 sshd[9217]: Failed password for invalid user www from 68.2
    55.14.252 port 4871 ssh2
    Jul 21 20:27:49 host1 xinetd[24281]: START: smtp pid=9227 from=70.58.173.162
     
  2. flupke

    flupke Guest

    0
     
    I disabled root login as a first measure.

    next step will be to configure ip tables to close connection after a few trial
     
  3. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    Install something like Fail2Ban or DenyHosts.

    You can limit which IP addresses can access SSH using the firewall or sshd config (if you only access your server from a few static addressess for instance).

    You can setup public key authentication and then disable PasswordAuthentication so password attacks are completely useless. Remember that the Migration Manager needs to be able to access SSH using a password, so you'll need to re-enable PasswordAuthentication temporarily when you want to use that.
     
  4. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    I would recomend something other then those two myself, but a lot of people swear by those so its really your preference.

    Some people like to use APF and BFD together to monitor their firewall and login failures.

    I personally use http://www.configserver.com/cp/csf.html and so far its been working pretty well - better then APF and BFD at least.

    To secure SSH I would enable protocol 2 only (disable protocol 1), disable direct root access (Make sure you have a wheel group user setup first), and put it on a non standard port (some argue this is useless at stopping an attacker as any port scan will find the new port).

    Then you will need to whitelist your static IP (or class C block ) as well as the servers IPs and any gateways your server uses in case an attacker tries to spoof your gateway IP for the attacking host so you dont block yourself out.

    You can also turn on nospoof in your hosts file to help with that, but it wont solve it on its own if the attacker is good.

    just to name a few things.
     
  5. flupke

    flupke Guest

    0
     
    thks to all, I disabled root login, I created a username for the only purpose to SU my box, I removed SSH 1, only 2 supported, increasing timeout for retral is also a good idea.

    I would also add IPTABLES rules to the protection list.


    QUESTION: ever heard about solution like tipping point?
     
  6. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    yeah those cant hurt either - well thats not true, poorly configured the tipping point can take down your entire network frequently, I've seen it happen in some of my old jobs with people who pretend to know how to configure it :p
     
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I know tippingpoint very well, its a great IDS, just really really expensive (around 75K per sensor). Much more useful as a network IDS in my opinion. For web environments, mod_security and ossec would be my first two picks (and what I use in ASL). You've got much more refined control.

    Id also recommend looking into using SSH keys to authenticate, and turning off password auth (this would eliminate the threat of brute force attacks completely).

    Personally, Im not a big fan of using alternate ports for ssh, although its certainly good for cutting down on the noise. I kind of like to see who is hitting ssh and what they're trying to do, but thats just me. Plus you can use that information in other directions, like creating global IP blocks, or sharing the data (a la denyhosts) with other people.
     
Loading...