sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Nix on 15 Jan 2006 12:59 On Sat, 14 Jan 2006, Colin McKinnon mused: > Honestly, for a small system not holding secure data I don't think its worth > the effort - by all means restrict the hosts which can connect to port 22 > on the machine in its firewall and with appropriate entries for tcp > wrappers (man 5 hosts_access). Another step I'd recommend is to only allow > ssh logins for users of a specific group (AllowGroups in sshd_config). > Definitely don't allow root logins via ssh. I'd say turn PasswordAuthentication off, too. Stick with key-based authentication only. The vast majority of attacks on SSH are attacks on bad passwords; I've had some twit trying for most of today and yesterday, four or five requests a second... .... Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from 208.187.226.110 Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from 208.187.226.110 Jan 15 15:23:21 esperi info: sshd[11810]: Invalid user molly from 208.187.226.110 Jan 15 15:23:23 esperi info: sshd[11812]: Invalid user molly from 208.187.226.110 Jan 15 15:23:25 esperi info: sshd[11814]: Invalid user molly from 208.187.226.110 Jan 15 15:23:27 esperi info: sshd[11816]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:29 esperi info: sshd[11818]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:31 esperi info: sshd[11820]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:33 esperi info: sshd[11824]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:35 esperi info: sshd[11826]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:37 esperi info: sshd[11829]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:39 esperi info: sshd[11831]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:41 esperi info: sshd[11833]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:43 esperi info: sshd[11835]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:45 esperi info: sshd[11837]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:47 esperi info: sshd[11839]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:49 esperi info: sshd[11841]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:51 esperi info: sshd[11843]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:53 esperi info: sshd[11845]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:55 esperi info: sshd[11847]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:57 esperi info: sshd[11849]: Invalid user sophie from 208.187.226.110 Jan 15 15:23:59 esperi info: sshd[11851]: Invalid user sophie from 208.187.226.110 Jan 15 15:24:01 esperi info: sshd[11853]: Invalid user sophie from 208.187.226.110 Jan 15 15:24:03 esperi info: sshd[11857]: Invalid user sophie from 208.187.226.110 Jan 15 15:24:07 esperi info: sshd[11861]: Invalid user alexa from 208.187.226.110 Jan 15 15:24:10 esperi info: sshd[11864]: Invalid user alexa from 208.187.226.110 Jan 15 15:24:12 esperi info: sshd[11866]: Invalid user alexa from 208.187.226.110 Jan 15 15:24:14 esperi info: sshd[11872]: Invalid user alexa from 208.187.226.110 Jan 15 15:24:17 esperi info: sshd[11879]: Invalid user alexa from 208.187.226.110 .... With PasswordAuthentication off, all they're doing is tarpitting themselves and wasting their time. -- `I must caution that dipping fingers into molten lead presents several serious dangers.' --- Jearl Walker
From: alexd on 15 Jan 2006 13:26 Martin Gregorie wrote: > I thought that ssh / sftp / scp were probably where it was at but wanted > to make sure that, say, a VPN approach wasn't better. I use ssh within > my LAN but know next to nothing about the ins and outs of secure > Internet communications. SSH is great when you want a quick connection that just works without too much messing about. You can get shell access, copy a few files with scp, etc etc. A VPN probably a better solution where you have a network of > 1 machines that you want to connect to another network, on a semi-permananent basis, and where you might be using protocols that, heaven forbid, aren't secure enough to use naked on the internet [telnetting into ancient pieces of kit and using NFS spring to mind]. Also when you tunnel stuff through a VPN, you can implement QoS as you theoretically have total control over your 'network'. alexd -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 18:19:07 up 14 days, 5:36, 2 users, load average: 0.27, 0.31, 0.32 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
From: alexd on 15 Jan 2006 13:29 Martin Gregorie wrote: > I already use a firewall. But, as 22 os a well-known port (and anyway a > port scanner will find non-standard ones) I'd like things a bit tighter. > Yes, I can use the hosts.allow/deny and shosts.equiv but they can't stop > spoofng - only ssh_known_hosts can do that. If you're super-paranoid, try port knocking. alexd -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 18:28:30 up 14 days, 5:45, 2 users, load average: 0.35, 0.27, 0.27 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
From: Tony van der Hoff on 15 Jan 2006 14:02 Nix <nix-razor-pit(a)esperi.org.uk> wrote in message <87mzhxgync.fsf(a)amaterasu.srvr.nix> > On Sat, 14 Jan 2006, Colin McKinnon mused: > > Honestly, for a small system not holding secure data I don't think its worth > > the effort - by all means restrict the hosts which can connect to port 22 > > on the machine in its firewall and with appropriate entries for tcp > > wrappers (man 5 hosts_access). Another step I'd recommend is to only allow > > ssh logins for users of a specific group (AllowGroups in sshd_config). > > Definitely don't allow root logins via ssh. > > I'd say turn PasswordAuthentication off, too. Stick with key-based > authentication only. > Depends on yhour requirements. Sometimes you can't set keys - I certainly wouldn't want to accidentally leave one on a Customer's box. Key-based authentication PLUS passwords (provided they're strong ones) works fine. > The vast majority of attacks on SSH are attacks on bad passwords; I've > had some twit trying for most of today and yesterday, four or five > requests a second... > > ... > Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from 208.187.226.110 > Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from 208.187.226.110 [snip] No, he's not made it into my blocklist - yet. Indeed; they first have to guess a username; then they have to guess a valid password :( It's a wonder they achieve anything, and can only be evidence of a preponderance of poorly-administered sites out there... Which is why I employ a blocklist script; I enjoy seeing this: Jan 15 12:09:52 tony-lx sshd[18346]: Failed password for invalid user brd from 207.36.86.64 port 49575 ssh2 Jan 15 12:10:00 tony-lx sshd[18365]: Failed password for invalid user ap from 207.36.86.64 port 49762 ssh2 Jan 15 12:10:01 tony-lx sshd: refused connect from 207-36-86-64.ptr.primarydns.com (207.36.86.64) Zap! -- Tony van der Hoff | mailto:tony(a)vanderhoff.org Buckinghamshire, England
From: John Phillips on 15 Jan 2006 14:19
On 2006-01-15, Nix <nix-razor-pit(a)esperi.org.uk> wrote: > The vast majority of attacks on SSH are attacks on bad passwords; I've > had some twit trying for most of today and yesterday, four or five > requests a second... I saw a lot of that until I throttled back the allowable connection rate with iptables. Probably not much extra security, if any, but they generally go away now after a very small number of attempts. > Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from 208.187.226.110 > ... > Jan 15 15:24:17 esperi info: sshd[11879]: Invalid user alexa from 208.187.226.110 > > With PasswordAuthentication off, all they're doing is tarpitting > themselves and wasting their time. Indeed, although they do use up a little connection bandwidth and processing time on the target machine. -- John Phillips |