Comments on: SSH security woes

By: numerodix

numerodix — Thu, 12 Oct 2006 11:28:26 +0000

You should definitely set up key authentication. I had a headless box running on a non-standard box and I got rooted, someone installed a spambot and started sending out thousands of messages per minute. With key authentication this won't happen, and it beats keeping track of what ip you can login from.

By: Jamie

Jamie — Wed, 11 Oct 2006 19:27:40 +0000

You should probably also look at your packet filter rules. I use NetBSD (and therefore ipf) and explicitly deny everything to port 22 except addresses I know I will be connecting from. Obviously, if you're connecting from many random addresses this isn't practical, but for most people connecting to their home boxes, SSH is generally accessed from only a few known addresses.

Also, ensure privilege separation is enabled, you have disabled SSH v1 and don't use passwords; use (as you suggest) RSA keys; it's painfully simple but prevents your password ever being captured by MITM type attacks.

By: Brian

Brian — Wed, 11 Oct 2006 19:03:08 +0000

Note to self: After installing and running denyhosts, DON'T purposefully fail a root SSH login to test if it works, or you will find your IP address at work added to hosts.deny. Oops. Never mind what I just said about having any sense.

By: Brian

Brian — Wed, 11 Oct 2006 19:00:31 +0000

That looks promising. I am emerging it at we speak. Thanks.

denyhosts.com has an FAQ, and under “What steps can I take to make sshd more secure?” it lists the exact three things I said I've done already / plan to do. Looks like I'm not entirely without sense. (In this particular case.)

By: Steve Dibb

Steve Dibb — Wed, 11 Oct 2006 17:27:01 +0000

Be sure to emerge and setup denyhosts. That'll kick off those nasty IPs for good.