[gentoo-user] OpenSSH security

[gentoo-user] OpenSSH security

[James Colby]

List members -

I am running OpenSSH on my home gentoo server.  I was examining the
log files for OpenSSH and I noticed multiple login attempts from the
same IP address but with different user names.  Is there a simple way
that I can block an IP address from attempting to log in after
something like 3 failed login attempts?

My Gentoo box is connected to a linksys router connected to my cable
modem, the linksys is doing port forwarding to my gentoo box.  Also, I
would like to avoid limiting which IP addresses can log into my SSH
server

Thanks for any ideas,
James
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenSSH security

[fire-eyes]

James Colby wrote:
> List members -
> 
> I am running OpenSSH on my home gentoo server.  I was examining the
> log files for OpenSSH and I noticed multiple login attempts from the
> same IP address but with different user names.  Is there a simple way
> that I can block an IP address from attempting to log in after
> something like 3 failed login attempts?
> 
> My Gentoo box is connected to a linksys router connected to my cable
> modem, the linksys is doing port forwarding to my gentoo box.  Also, I
> would like to avoid limiting which IP addresses can log into my SSH
> server
> 
> Thanks for any ideas,
> James


What you're seeing is a common, automated dictionary style attack. There
are several ways to get rid of them.

The simplest way is to install fail2ban and it will create firewall rules.

The next less-simple way is to change the port sshd listens on. The
scripts assume the default of 22.

The best way is to change the port sshd listens on, and also move to key
based authentication, and disable password based authentication. In this
way, even if they got the port, got a real user name, and had the right
password, it would not matter -- They haven't got the key.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenSSH security

[Brian Davis]

In addition to fail2ban, look at deny2hosts and sshdfilter.

fire-eyes wrote:
> James Colby wrote:
>   
>> List members -
>>
>> I am running OpenSSH on my home gentoo server.  I was examining the
>> log files for OpenSSH and I noticed multiple login attempts from the
>> same IP address but with different user names.  Is there a simple way
>> that I can block an IP address from attempting to log in after
>> something like 3 failed login attempts?
>>
>> My Gentoo box is connected to a linksys router connected to my cable
>> modem, the linksys is doing port forwarding to my gentoo box.  Also, I
>> would like to avoid limiting which IP addresses can log into my SSH
>> server
>>
>> Thanks for any ideas,
>> James
>>     
>
>
> What you're seeing is a common, automated dictionary style attack. There
> are several ways to get rid of them.
>
> The simplest way is to install fail2ban and it will create firewall rules.
>
> The next less-simple way is to change the port sshd listens on. The
> scripts assume the default of 22.
>
> The best way is to change the port sshd listens on, and also move to key
> based authentication, and disable password based authentication. In this
> way, even if they got the port, got a real user name, and had the right
> password, it would not matter -- They haven't got the key.
>   
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenSSH security

[Pavel Sanda]

> In addition to fail2ban, look at deny2hosts and sshdfilter.

accidentally i was solving the same problem today.
i tried to use hosts.allow/deny but it seems sshd doesnt
reflect to them (i have tcpd use flag on).
is openssh on gentoo supposed to work with these files ?

bye,
pavel
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenSSH security

[fire-eyes]

Pavel Sanda wrote:
>> In addition to fail2ban, look at deny2hosts and sshdfilter.
> 
> accidentally i was solving the same problem today.
> i tried to use hosts.allow/deny but it seems sshd doesnt
> reflect to them (i have tcpd use flag on).
> is openssh on gentoo supposed to work with these files ?
> 
> bye,
> pavel

only if you have tcpd USE flag on. I would not rely on it, as it's old
and silly.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OpenSSH security

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1581 bytes --]

On Tuesday 07 November 2006 20:04, Brian Davis wrote:
> In addition to fail2ban, look at deny2hosts and sshdfilter.
>
> fire-eyes wrote:
> > James Colby wrote:
> >> List members -
[snip]
> >> My Gentoo box is connected to a linksys router connected to my cable
> >> modem, the linksys is doing port forwarding to my gentoo box.  Also, I
> >> would like to avoid limiting which IP addresses can log into my SSH
> >> server

> > What you're seeing is a common, automated dictionary style attack. There
> > are several ways to get rid of them.
[snip]
> > The next less-simple way is to change the port sshd listens on. The
> > scripts assume the default of 22.

I use this as it is trivial to edit the sshd port No on /etc/ssh/sshd_config 
and /etc/ssh/ssh_config on the client.  However, you need to change the ssh 
client port back to 22 (or specify it on the command line) next time you 
connect to a production server.

> > The best way is to change the port sshd listens on, and also move to key
> > based authentication, and disable password based authentication. In this
> > way, even if they got the port, got a real user name, and had the right
> > password, it would not matter -- They haven't got the key.

I also use this option.  Dictionary attacks are totally ineffective as no user 
login passwds are accepted - full stop.  Only to add to the above that even 
if they have the private key, they will still need the secret passphrase to 
be able to use it.

You may also want to look in the wiki for port-knocking.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OpenSSH security

[Mick]

[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

On Tuesday 07 November 2006 21:44, fire-eyes wrote:
> Pavel Sanda wrote:
> >> In addition to fail2ban, look at deny2hosts and sshdfilter.
> >
> > accidentally i was solving the same problem today.
> > i tried to use hosts.allow/deny but it seems sshd doesnt
> > reflect to them (i have tcpd use flag on).
> > is openssh on gentoo supposed to work with these files ?

> only if you have tcpd USE flag on. I would not rely on it, as it's old
> and silly.

Only consider it as an additional layer of security, but not a particularly 
robust one as IPs and MACs can be easily spoofed.  Secure key authentication 
is the 'best' simple solution.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] OpenSSH security

[Jesper Fruergaard Andersen]

On Wednesday 08 November 2006 05:52, Mick wrote:
> I use this as it is trivial to edit the sshd port No on
> /etc/ssh/sshd_config and /etc/ssh/ssh_config on the client.  However,
> you need to change the ssh client port back to 22 (or specify it on the
> command line) next time you connect to a production server.

I use different ports for sshd on all my server. You can just add them to 
~/.ssh/config once. It work like /etc/ssh/ssh_config. You can add per 
host settings by doing something like this:
----
Host <<Hostname>>
Port <<Port>>
----

read:
$ man 5 ssh_config

-- 
Jesper
 11:47:46 up 1 day,  3:59,  5 users,  load average: 0.51, 0.66, 0.60
-- 
gentoo-user@gentoo.org mailing list