Securing SSH

So I setup ssh on a server so I could do some work from home and I think
the second I opened it every sorry monkey from around the world has been
trying every account name imaginable to get into the system.

What's a good way to deal with this?

iptables, disallow root login via ssh, no valid shell for users that
don't need one, strong passwords, keys would be a good start.

Mike

1. Change the default port
2. use only SSH protocol 2
3. Install some brute force protection which can automatically ban an IP
on say 5 / 10 failed login attempts
4. ONLY allow SSH access from your IP, if it's static. Or signup for a
DynDNS account, and then only allow SSH access from your DynDNS domain

Fail2Ban is a good brute force protector.  It works in conjunction with 
IPTables to block IPs that are "attacking" for a said duration of time. :)

Tim Alberts wrote:
> So I setup ssh on a server so I could do some work from home and I
> think the second I opened it every sorry monkey from around the world
> has been trying every account name imaginable to get into the system.

actually, those 'attempts' are coming from virus infected systems which
randomly probe for SSH servers.    they try the same sorry 10 or 15 
accounts with the same lame 10 or 15 passwords, so its really just an
annoyance if you're anal about logwatch output.

Tim Alberts wrote:
> So I setup ssh on a server so I could do some work from home and I
> think the second I opened it every sorry monkey from around the world
> has been trying every account name imaginable to get into the system.
>
FYI, here's a list of the losers (so far).  I suggest everyone wish 
horrible things happen to these people.

*201.70.39.3
**201.6.116.177
**200.161.198.16
**164.164.33.73
**66.114.252.200
**24.202.149.253
**218.201.147.80
**200.42.174.109
**128.135.195.122
**67.19.188.210
**24.202.149.253
**203.82.65.252
**124.1.204.61
**210.206.124.211
**61.128.122.13
**202.106.62.197

*

DenyHosts - http://denyhosts.sourceforge.net/ Also, when you set it
up, set it to download the lists from their website.  These lists are
IPs that other users have found scanning their network.

iptables..add the ip of the attack source to reject?  They keep moving 
IP, this is very time consuming (but I am doing it).  I don't allow root 
login.  I think I got a good password, and I got keys setup so I know 
I'm talking to my server.

I could do that, but if they already know about it, a simple port scan
and they'll probably find it again.  Plus I gotta go tell all my client 
programs the new port and I don't know how to do that on most of them
(what a hassle).

> 2. use only SSH protocol 2
got it.
> 3. Install some brute force protection which can automatically ban an
> IP on say 5 / 10 failed login attempts
The only software I know that could do this isn't supported anymore
(trisentry) or is too confusing and I don't know it yet (snort).  
Suggestions?

> 4. ONLY allow SSH access from your IP, if it's static. Or signup for a
> DynDNS account, and then only allow SSH access from your DynDNS domain
>
Yeah my home account is on dynamic IP.  I'd love to setup the firewall 
to only allow my home computer.  You're talking about these guys?  
http://www.dyndns.com/ never used them before, but it looks like a good
idea.  Especially since it's free (for 5 hosts) if I read correctly.

Just a virus you think?  They are some pretty lame account names: judy, 
frank, bob..However they are mixed with general linux accounts:  root, 
ftp, webmaster, mysql, named, etc.  I feel less worried about that (or 
should I)?

Or are you just trying to lull me into a false sense of security?  
Muawhahahaha..

>> 1. Change the default port
> I could do that, but if they already know about it, a simple port scan and
> they'll probably find it again. Plus I gotta go tell all my client
> programs the new port and I don't know how to do that on most of them (what
> a hassle).

If you're talking about people who are just scanning your machine and
then doing brute force on the port, changing the port likely will solve
that since these are just automated robots.  A human might actually do
a portscan, but just a port change will probably stop your security
logs from going crazy.

Of course the hassle part may be a show-stopper here. :)

>> 2. use only SSH protocol 2
> got it.
>> 3. Install some brute force protection which can automatically ban an IP
>> on say 5 / 10 failed login attempts
> The only software I know that could do this isn't supported anymore
> (trisentry) or is too confusing and I don't know it yet (snort).
> Suggestions?

denyhosts is pretty widely used.  You could probably also make use of
iptables.

>> 4. ONLY allow SSH access from your IP, if it's static. Or signup for a
>> DynDNS account, and then only allow SSH access from your DynDNS domain
>>
> Yeah my home account is on dynamic IP. I'd love to setup the firewall to
> only allow my home computer. You're talking about these guys?
> http://www.dyndns.com/ never used them before, but it looks like a good
> idea. Especially since it's free (for 5 hosts) if I read correctly.

Ray

You could consider to disallow password access.
Use only public key authentication. The "attacks" will remain, but can
never succeed. (The scripts are not smart so they keep trying for hours
sometimes)

sshd_config:
PasswordAuthentication no

Now create a public/private ssh keypair and put the public key in
~/.ssh/authorized_keys on the remote machine.

# local machine*
ssh-keygen -t dsa*

*scp** ~/.ssh/id_dsa.pub  remote_host:.ssh/authorized_keys

*# remote host*
**chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
*

To be really save, only allow access from a limited number of IP addresses:

**

cat ~/.ssh/authorized_keys
from="123.345.133.123,home.com,work.com" ssh-dss
AAAAB3NzaC1kc3MA<snip>AqNY= [email protected: m...@email]

Theo

Tim Alberts wrote:

> I got keys setup so I know
> I'm talking to my server.

This is probably not what he meant. You can use a key pair to
authenticate with the SSH server and turn off password authentication
entirely. That makes password guessing attacks utterly impossible,
because the server will only accept a response signed with your private key.

ssh-keygen -t rsa

or

ssh-keygen -t dsa

generates a key pair. Do this on your local machine, and append the
contents of your $HOME/.ssh/id_rsa.pub (or id_dsa if you chose DSA
instead of RSA) to your $HOME/.ssh/authorized_keys file on the remote
system.

This method is somewhat more complicated to setup, since all users must
have public keys in their $HOME/.ssh/authorized_keys file, or they can't
login.

Regards
Ingemar

This is what I do.

http://wiki.xdroop.com/space/Linux/Limited+SSH+Access

Tim Alberts wrote:
> iptables..add the ip of the attack source to reject? They keep moving
> IP, this is very time consuming (but I am doing it).
...

stop thinking 'they', that implies theres someone intentionally
targetting you.  its just viruses randomly squirting out connection 
requests from 1000s of infected hosts around the world.

That sounds great for getting around a remote dynamic IP address, but
some more authentication/security on that web page is necessary,
otherwise, anyone who finds that web page is given access?