[kwlug-disc] Tightening up SSH
Dave Cramer
davec at visibleassets.com
Mon Jul 19 10:23:32 EDT 2010
On Mon, Jul 19, 2010 at 10:09 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> On Mon, Jul 19, 2010 at 8:37 AM, Johnny Ferguson <hyperflexed at gmail.com>
> wrote:
>>
>> I'm relatively new to SSH, though I've come to love it very quickly.
>>
>> Recently I've been seeing a lot of activity in /var/log/auth.log (of the
>> sshd sort). Sometimes 5 straight hours of brute force attacks. I've
>> currently only whitelisted a single user. While I feel reasonably safe and
>> nothing has cracked yet, I live in constant fear of my account getting
>> cracked open, at which time it would take no more than:
>>
>> sudo rm -rf /
>>
>> SO, just wondering what advice anyone could offer on hardening SSH. I
>> might be a little paranoid, but I think it's still in the range of being
>> healthy.
>>
>> -Johnny
>>
>> P.S. How do 2 machines determine an encryption key and communicate this to
>> eachother without giving the key away? Are there any good articles on how
>> SSH works and what potential vulnerabilities are?
>
> The single most effective thing you can do to prevent these types of attacks
> is run ssh on a non standard port.
>
> This will stop these automated scans right away.
>
> Edit your sshd config (on Debian/Ubuntu it is in /etc/ssh/sshd_config), and
> change:
>
> Port 22
>
> To:
>
> Port 2123
>
> Restart ssh, and you are done.
>
> This means that those who are logging in to your server need to specify the
> new port, so instead of:
>
> ssh myuser at example.com
>
> They should use:
>
> ssh -p2022 myuser at example.com
>
> And for scp, they need to use the -P (upper case) instead.
>
> If that gets tedious they can edit their .ssh/config file and add the port
> there for each host.
>
> Host ex
> HostName example.com
> User myuser
> Port 2123
>
> Host ex2
> HostName test2.example.com
> User otheruser
> Port 2123
>
> They can now just use:
>
> ssh ex2 or ssh ex, and ssh will fill in the port and user.
>
>
I disagree. Any security mechanism that relies on obscurity is not
secure. Just harden it. It's trivial to port scan you anyway.
Dave
More information about the kwlug-disc
mailing list