Restricting external access
I am getting thousands of attempted ssh break-ins. I've already set up the server to prevent ssh logons as root, but would like to do more. I also installed fail2ban.
My iptables configuration is shown below. A couple of questions.
Thank you Code:
[root@devserver log]# cat /var/log/secure | grep 'sshd.*Invalid' Code:
[root@devserver log]# cat /var/log/secure | grep 'sshd.*failed' Code:
[root@devserver log]# iptables --list --line-number |
There is an oldie-but-goodie utility you might want to give a try.
DenyHosts (http://denyhosts.sourceforge.net). It Quote:
I've used it for years, it works (there are thousands of entries in hosts.deny), you don't have to fiddle around with configurations and writing entries --- take a look and see what you think. Hope this helps some. |
I'd suggest running SSH on a non-standard port. I've been doing that for years, and as far as I've been able to tell nobody has ever tried to get in.
Of course, using a non-standard port should not be your only method of securing your server: https://en.wikipedia.org/wiki/Securi...ough_obscurity |
If you don't need ssh, block port 22. Otherwise, you can use the iptables "recent" module.
Code:
${IPTABLES} -A INPUT -p tcp --dport 3456 -m recent --set --name portknock It's not a great idea to reassign the ssh port to a non-privileged port (>1024), because non-privileged users can listen and capture user names/passwords. Ports 1024 and below are handled by Linux as privileged, so only root can open them. After a privileged port is opened the process drops back to user level. |
Quote:
" There are two kinds of people: those who put people in two groups, and everyone else. " |
"The question before the house" should be:
"Why did you allow(?!?!) 'anyone on earth' to see a login: prompt, in the first place?" :tisk: No one should be allowed to get that far, unless they have already passed a very-considerable gantlet which has nothing to do with "a password." As I discuss in my blog post, How To Build A 'Dwarvish Door' with OpenVPN, every one of your systems should present "a smooth, featureless(!) wall" to the outside world. To any and every "port scanner" or "script kiddie," there should be nothing(!) there except (say ...) http and https. (These being the only ports that you intend for outsiders to routinely access.) It should not even be evident that there exists, in fact, a third alternative: OpenVPN. Thanks to the tls-auth feature, the existence of an OpenVPN server should not even be visible, unless one should possess an initial 1024-bit cryptographic key that will "cause a keyhole to appear." Having "found the keyhole," the only possible way forward should be to possess a 4096-bit one-of-a-kind cryptographic key. Only then should you first encounter ssh, which then demands, not a password, but yet-another cryptographic key. (The visitor is never once given the opportunity to enter a "login password.") Yep, if anyone shows up inside the courtyard, having passed through both of these safeguards, you can welcome him or her as "an old friend," because you fairly-well know already who they must be. After all, s/he must have been in possession of three one-of-a-kind, not-revoked digital credentials! Since the credentials are "one of a kind," you already know with very-great certainty exactly who this visitor is. (And, should the visitor turn out to be an imposter, you can swiftly and decisively react by revoking this visitor's credentials. Instantly, this visitor is shut-out, while no other authorized visitor is even inconvenienced.) "Thousands of attempts?' Uh uh. How about, "zero?" |
Quote:
There's two things security related to focus on.
Making ssh secure is pretty easy. Create a keypair, copy it over and enforce key-based access by changing these lines in /etc/ssh/sshd_config Code:
$ ssh-keygen -t rsa -b 4096 Code:
/etc/ssh/sshd_config
As for reducing the number of attempts, there are a lot of ways to do that (eg fail2ban or other answers here). Personally, I just limit attempts allowed via iptables. I go over that more here on this thread: Quote:
|
All times are GMT -5. The time now is 03:25 AM. |