Welcome to CSAM Day 17! Today is brought to you by Secure Shell (SSH) commonly deployed on port 22/TCP.
SSH has become ubiquitous as a mechanism for command line access to *nix systems, and is sometimes deployed on Windows systems as well. As the Dshield graph for port 22 shows, it is a popular target for attackers. These attacks usually take the form of attempts to brute force root accounts and other accounts with weak passwords.
My primary method of protecting SSH servers is threefold:
What strategies do you use to secure SSH?
Do you have any strategies for protecting SSH servers deployed on Windows?
Please submit your suggestions through our contact form or via the diary comment system. I will summarize throughout the day.
Faisal pointed out that I was remiss in not mentioning SSH keys. If you use keys for authentication and disable password authentication via SSH then SSH brute force attacks cannot succeed. In OpenSSH password authentication can be turned off by setting PasswordAuthentication to "no".
Joanne points out that there are alternatives to using brute force prevention tools. In her case she uses the iptables firewall to only permit one SSH connection, successful or not, every three minutes. Joanne also points out that if you must use passwords at least make sure the users use good ones.
Ned maintains a securing SSH page over at the CentOS wiki. It describes in detail how to implement some of the ideas presented here and more.
Sven sent a number of strategies. First he suggested using AllowGroups to limit access to a group of people. He also recommended that if users only require file transfer capability alternative shells like scponly can be utilized. He also points to ChrootDirectory which can be used as a chroot jail for SSH.
Gerard is a fan of sshdfilter. It is another of the anti-brute forcing tools, but it is an ssh wrapper and doesn't use tcpwrappers for blocking but rather creates iptables or ipfw rules to facilitate the blocking.
-- Rick Wanner - rwanner at isc dot sans dot org
Oct 17th 2009
|Thread locked Subscribe||
Oct 17th 2009
1 decade ago