JP Vossen on 12 Jun 2009 09:20:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH in general from: Re: Pros and cons of key-pair based vs password based SSH...

 > Date: Fri, 12 Jun 2009 04:53:57 -0700 (PDT)
 > From: Edmond Rodriguez <>
 > I recently allowed a port for ssh (default settings) on my
 > machine/router so a friend could try and connect to it.
 > Within days someone tried to log on to my machine over 30,000 times in
 > about one hours time.
 > What I found surprising was that ssh by default did not recognized
 > this rapid fire attempt to log on my machine and create some sort of
 > delay between each attempt.

Yeah, I find that surprising too.

 > I guess all the configurations that have been written about recently
 > help prevent such password guessing games.  I guess they eliminate the
 > idea of an unknown machine trying to log on.

Sort of.  They prevent it from working, but not from someone trying and 
wasting bandwidth and log space.

 > If possible at all, do
 > they limit the number of times an unauthorized person can try to log
 > on?

Not in OpenSSH, as far as I know.  'man sshd'?

 > Having seen the attempts to log into my machine, I learned there are
 > ways with iptables and I think ssh itself (recent discussion at a PLUG
 > meeting) to cause it to delay some time after a few attempted logins.
 > So that if someone tries unsuccessfully to log in say 10 times, a
 > delay will be created to force a one minute wait time before the next
 > attempt.

We've beaten this to death before, look in the archives, your OS repos 
or Google for things like:

fail2ban - bans IPs that cause multiple authentication errors = fail2ban
denyhosts - an utility to help sys admins thwart ssh hackers = denyhosts
sshguard - protects from brute force attacks against ssh

Personally, I just change the port in '/etc/ssh/sshd_config', on the 
'Port 22' line.  This is not security through obscurity since it is only 
one layer, I don't depend on it.  But it keeps my logs nice and clean 
and no one pounds my servers all day long.

OTOH, depending on what else is on the machine and what port you choose, 
you may have trouble getting to the machine if there are strong firewall 
egress filters or ports are otherwise blocked where you are coming from 
(I had to get a special exception for the port in the FW at work).  And 
while putting SSH on something like 443 will ensure you can get there 
(unless there's an SSL proxy), isn't going to keep much trash out of 
your logs.  And you *are* using logcheck, right?

It also complicates using SSH, scp, rsync, svn, git, etc., since you now 
need to specify a port.  NOTE that ssh uses -p 22 while scp needs -P 22. 
  And of course change the 22 to whatever you used.  Samples:

$ rsync -av --rsh="ssh -p 22" some/file
$ export SVN_SSH='ssh -p 22'
$ svn up

Finally, you can 'man ssh_config' and create 'Host' entries in 
~/.ssh/config that specify the hostname and port and so forth.  That 
turns out to be really handy, as we've been covering earlier in this 
thread.  I gave some port-forwarding examples of that here:

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --