LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] sshd

[ILUG] sshd

Ewan Oughton ewan at skynet.ie
Thu Nov 23 16:30:45 GMT 2006 

I had quite an issue with ssh brute force attacks on a box on my adsl 
line at home - I did the following to defeat it:

Added iptables rule to allow only 3 ssh connections/min from a given IP. 
Any further goes to the TARPIT for 15 mins. Remember to add it to your 
startup scripts somewhere.

Turned off remote root login.

Turned off password-based ssh logins, allowing only password-protected 
keyed users to log in.

Removed any defunct users.





My [secure|auth].log now looks a lot cleaner.



Ewan



Ewan Oughton B.Sc. Comp Sys
DB / AnonFTP / Orac Root Admin SkyNet


On Thu, 23 Nov 2006, Niall O Broin wrote:

> On 23 Nov 2006, at 15:42, paul at clubi.ie wrote:
>
>>> Good comments already mentioned but I can't believe noone has mentioned 
>>> key based authentication for the 1 user who requires sshd access, that 
>>> will mitigate the problem of people stealing passwords :-)
>> 
>> And open the problem that the security of the key is 'outsourced' to remote 
>> boxes.
>> 
>> SSH keys are not a magic wand
>
> You blow this particular horn quite frequently Paul, but the fact remains 
> that when the question is "How do I defend against ssh brute force attacks?" 
> one of the useful answers is "Use ssh keys".
>
> Authentication method		Attack vector
>
> Password			Compromise password || brute force
> SSH key				Obtain key && compromise password
>
>
> It's not really a question of "magic bullets", more a question of how you 
> minimise your exposure.
>
>
> Niall
>
>
>
>
> -- 
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell