Ruminations on an SSH attack

Tom Buskey tom at buskey.name
Mon Dec 19 09:06:01 EST 2005


On 12/18/05, Brian Chabot <brian at datasquire.net> wrote:
>
> Bill McGonigle wrote:
>
> > I sleep better at night knowing my servers have these lines in them:
> >
> > Protocol 2
> > PermitRootLogin no
> > IgnoreRhosts yes
> > PasswordAuthentication no
> > AllowUsers ...
>
>
> I like to add in:
>
> MaxAuthTries 6
> UsePrivilegeSeparation yes
>
> AllowUsers can be a pain if your user bas changes..


ListenAddress if your users always come from the same IP adresses.  Not
always doable, but if it is....

Port xxxx  # changing to a non standard port

I'm at a site that blocks all outgoing ports except 22 :-(  Security by
obscurity, but it makes you harder to find then your neighbors.

I've started running something called DenyHosts.  If I get N failed logins
from an IP address, it gets added to /etc/hosts.deny and my sshd never sees
that IP again.  It's worth checking out.  All automated w/ email alerts,
expiration of IPs (or not), number of failures, etc.



--
A strong conviction that something must be done is the parent of many bad
measures.
  - Daniel Webster
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20051219/f92ec1cf/attachment.html


More information about the gnhlug-discuss mailing list