cancel
Showing results for 
Search instead for 
Did you mean: 

Tips for protecting SSH

Firejack
Grafter
Posts: 921
Registered: 26-06-2007

Tips for protecting SSH

Currently my home box is being hammered from multiple sources attempting to discover my login details to my SSH server. So many attempts in fact the SSH daemon crashed a little while ago :roll:

How do I go about securing it more tightly as at this rate of login attempts they will probably of guessed my username in a few days :shock:

I know you can limit SSH logins to one IP but I more around a bit and don't always know the external IP of the machine I'm connecting from.

Any ideas?

Cheers Smiley
13 REPLIES
N/A

Tips for protecting SSH

1) google for "port knocking"
2) change the port SSHd runs on
N/A

Tips for protecting SSH

Hey Buz,

Actually this is a good one. How do you change the port SSH runs on if you only have root SSH access to the server?

This is something that was mention on voip the other night with a mate as using the standard port 22 isnt really a secure way.

Also you say port knocking? would something like IPChain work ?

Regards,
N/A

Tips for protecting SSH

you change the port wiht the -D flag, this would start a 2nd instance of the SSHd running on that port, or you can edit the sshd.conf file and change the port that way then do a

sshd restart

to restart the sshd

Port knocking is different, it is where you set up a set of ports that you must connect to in a certain order with a certain protocol (say telnet) in order to allow another port to be opend. eg

telnet 20
telnet 1356
telnet 7654
telnet 8888


in that order would open port 22 for SSH
N/A

Tips for protecting SSH

Sounds interesting Buz.

might be worth investigating that one.

Hows life in general then ? and your work, hows that coming along?

PS Cheers for the above matey Wink
N/A

Tips for protecting SSH

I got fed up of seeing all the sshd attacks against my machine*], so I just moved my external sshd port to a different one and kept it as 22 for the rest of the lan/vpn

* actually I got fed up with firewalling off entire APNIC netblocks, I'd firewall off allof APNIC if it didn't include Australia
N/A

Tips for protecting SSH

Personally I think its much better to not to move deamons off their stadard ports as it messy, especially if you have to deal with lots of boxes.

Its much better to actually firewall the port the deamon is listening on and lock it down to an select group of ips you connect from.

If you wanted to be even more secure, setup a vpn using something like openvpn, or pure ipsec, and dont bind ssh to an external interface.
N/A

Tips for protecting SSH

or just remeber what port you changed it to :p
N/A

Tips for protecting SSH

But Buz,

changing the port won't stop it being attempted,

I kinda of think sn00kie idea was the best , putting it behind a decent firewall.
N/A

Tips for protecting SSH

gagdget yes it will.. by 99% of the scanners, as they check to see if port 22 is open, and if so they attack it cos they think its SSHd, if they see port 30245 is open they wont attack cos they wont know what it is (and yes you can hide it from header checks by changing the headers). Its a security through obscurity but for most attacks like this it will work, as the scanners are set to scan for specif ports etc
N/A

Tips for protecting SSH

Yes and no, most scanners will target specific ports first, but then will scan a range of ports for a response and try and get the computer to respond.
N/A

Tips for protecting SSH

yes and if you change the headers they wont know what service they just found
N/A

Tips for protecting SSH

like i said before why even bother letting them get to the application layer, kick them of at layer 3, its far more efficient

i acl all mine with tcp wrappers and pf

Changing headers does nothing really as they can still target the port and push all their exploits at it, plus it does nothing against certain layer 3 attacks
N/A

Tips for protecting SSH

i never said it would fully stop it, nothing will ever fully stop anything -- it just makes it a lot harder for an attacked to know what to do -- also the kind of attackes he is facing, are probably all by autohax0rs run by skiddies so they will just pass a box that does not seem easy to hack