Sunday, September 9, 2007

Thwarting SSH Attacks

Oh my gosh! These SSH attacks are getting worse by the minute. A few months ago I found that one of my accounts on my desktop was hacked and was sponsoring bandwidth to some IRC bots and abusive scanning. The problem was that I had setup a user with a lame password for a friend of mine so he could get used to the linux command line. Even though I asked him to change the password, he didn't and that resulted in a complaint from a server to my ISP. Having investigated a little I found a huge auth.log with some brute-force attempts at ssh password.
Yesterday I started my ssh server on the laptop and because I was very busy I left the laptop running. Today I come home to find a 300K /var/log/auth.log file (which in my opinion - for a freshly installed box with 22h of uptime is a lot). Something had to be done. I hardened my sshd config and searched for something to throttle down the attacks.

Securing SSH

Installing ssh is a breeze. Just type pacman -S openssh, add sshd to your DAEMONS line in /etc/rc.conf.
Now let's take a look at our sshd config and see what we can do to harden our existing installation.
sudo vi /etc/ssh/sshd_config

  • Delete the comment before #Port 22 and let's give it something like 2222.
  • The protocol should be always set to Protocol 2 because Protocol 1 is insecure
  • LoginGraceTime 30
  • PermitRootLogin no. Actually it is better to disallow root from the securetty file (more on that later).
  • PasswordAuthentification no as you only want people to log in if they have a private key. (more on that subject later)
  • Banner /etc/issue.ssh - Put some text in this file - something like: Unauthorized access prohibited. Any activity will be logged.

No comments: