able to login as root via ssh :-(

Steven Ellis ellis at brouhaha.com
Tue Aug 8 17:33:20 UTC 2006 

Don Russell wrote:
> Todd Zullinger wrote:
>     
>>> That's a good idea.... I'm the only one that needs remote access....
>>> and my logs are always showing people "knocking at the door"
>>> sometimes hundreds a day.
>>>     
>>
>> Yep, the same bastards knock on most of our doors too. :)
>>
>> Yet another helpful method for stopping a lot of that is to run ssh on
>> a different port.
>>   
>
> I'm not a big fan of that ... I like to use standard ports for 
> things... to me, changing port numbers is little more than leaving the 
> door key under the flower pot instead of under the mat. :-) Granted, 
> there are approx 65000 flowerpots to choose from. :-)
>
In theory, I agree with your assessment--security by obscurity is no 
real security, however, in practice, if you hid your key under the 
flower pot and hundreds of thousands of your neighbors hid theirs under 
their mats, you've raised the ante for would be attackers (they'll 
probably only get to you once they've exploited everybody else).  In my 
experience, a simple port move completely eliminated script kiddies 
knocking on my ssh port.  Another method I have successfully used is to 
either use the limit or recent iptables modules.  limit is easier to 
use, but imposes a global limit on the rate of ssh connections--this 
means each script attack will probably only get a few tries to guess 
before the limit is hit--the disadvantage is this can be a DoS attack on 
you getting in to your own box (this is a good time to try also running 
ssh on a non-standard port with no rate limit, so you can get in when 
the main port has been rate-limited).  Here's an approximate iptables 
recipe that may suit for limit:

-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m limit 
--limit 10/hour --limit-burst 3 -j ACCEPT
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -j DROP

This ruleset (if placed in the right spot on the right chain) should 
rate limit ssh connections to 10/hour with a burst limit of 3 (enough 
for my home machine--probably not enough if you have more than a trivial 
number of users).

Here's what I like to use more, now that I seem to have figured out how 
to successfully use the recent module:

-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent 
--update --hitcount 2 --seconds 120 --name sshers -j DROP
-A <chainname> -m state --state NEW -m tcp -p tcp --dport ssh -m recent 
--set --name sshers -j ACCEPT

This ruleset limits each connecting address to 2 connection attempts 
every 120 seconds (or so I think--at any rate, it does seem to limit 
attackers to only getting two tries--the scripts seem to give up in less 
than 120 seconds).
> If a would-be hacker is put off so easily as a port number change, 
> they are probably harmless anyway. :-)
>
It isn't that they are harmless so much as it is that there are too many 
other easy marks to hit, and/or they are using toolkits that they don't 
really understand.  As long as no naive passwords are being used, or if 
password authentication is disabled, they probably are harmless, even 
so, however, I find the log messages to be quite annoying.

-se

More information about the fedora-list mailing list