Rich Kulawiec on 26 Jul 2017 09:18:05 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices 

On Wed, Jul 26, 2017 at 09:07:56AM -0400, Louis K wrote:
> I'd love to hear people's general recommendations for best practices [..]

As I said recently in a thread about firewalls, do NOT allow the entire
planet to connect unless you have to...and in your case, it doesn't
sound like you do.

ipdeny.com has the aggregated network ranges in CIDR form for every
country on the Internet, collected in a convenient tarball:

	http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

Deny everything, then only allow connections from the ones you need to.
(And again, referring to earlier thread, deny connections from anything
on the DROP and EDROP lists regardless of country.)

I also suggest -- unless you have an operational need for it -- blocking
all attempts originating from operations with a history of systemic,
chronic abuse, e.g., AWS.  Below is a skeleton pf.conf file that will
give you a starting point: do NOT deploy this without (a) a full
understanding of exactly what it does and doesn't do and (b) changes
suitable for your environment.  It is NOT complete.  It's intended
as an example and a starting point, no better.  This particular one
presumes that it's running on the host that's running ssh.  Note that
it includes a config file named pf.probers, which is a handy place
for dumping hosts/networks that prove themselves to be annoying
despite all of these precautions.

---rsk

# define my own network interface
myboard = "{ eth0 }"

# define my own addresses
myself = "{ 192.168.0.1 }"

# log packet statistics
set loginterface eth0

# just drop unwanted traffic
set block-policy drop

# define table for Spamhaus DROP list
table <droplist> persist file "/etc/pf/pf.droplist"

# define table for Spamhaus EDROP list
table <edroplist> persist file "/etc/pf/pf.edroplist"

# define table for bad hosts which poke at ssh
table <probers> persist file "/etc/pf/pf.probers"

# define table for US-based networks
table <us> persist file "/etc/pf/pf.us"

# define table for amazon cloud
table <amazon> persist file "/etc/pf/pf.amazon"

# end definitions; begin rules

# drop all incoming traffic from droplist, edroplist
block quick log on $myboard from <droplist> to $myself
block quick log on $myboard from <edroplist> to $myself

# drop incoming traffic from probers to ssh
block quick log on $myboard proto tcp from <probers> to $myself port ssh

# drop incoming traffic from amazon cloud to ssh
block quick log on $myboard proto tcp from <amazon> to $myself port ssh

# drop incoming traffic from everywhere but the US to ssh
block log on $myboard proto tcp to $myself port ssh
pass log on $myboard proto tcp from <us> to $myself port ssh

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug