[kwlug-disc] Tightening up SSH

[Adam Glauser]

On 19/07/2010 8:37 AM, Johnny Ferguson wrote:
> Recently I've been seeing a lot of activity in /var/log/auth.log (of the
> sshd sort). Sometimes 5 straight hours of brute force attacks.

Yikes!  I guess I should start checking my logs too.


> SO, just wondering what advice anyone could offer on hardening SSH. I
> might be a little paranoid, but I think it's still in the range of being
> healthy.

As Dave Cramer mentioned, it is best to use public key authentication 
instead of username/password authentication.  The odds of a brute-force 
attack succeeding go up dramatically.  I suspect that no one even 
bothers, and instead goes after the ssh servers that use 
username/password authentication.  This can be a bit of a hassle 
however, as you need to have your keypair available whenever you want to 
sign in to your ssh server.


> P.S. How do 2 machines determine an encryption key and communicate this
> to eachother without giving the key away? Are there any good articles on
> how SSH works and what potential vulnerabilities are?

SSH uses the Diffie-Hellman Key Exchange protocol to establish a shared 
secret for the session.  It's pretty cool stuff, the Wikipedia article* 
has a pretty good explanation of the theory.  You might want to read a 
bit about modular arithmetic** first if you don't already understand it.

RFC4419*** describes some of the security considerations surrounding the 
DH process.

*   http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
**  http://en.wikipedia.org/wiki/Modular_arithmetic
*** http://www.ietf.org/rfc/rfc4419.txt