How Important is Invisibility on the Net?

ArthurDent · 02-09-2006, 07:18 AM

Hello chaps,

I have just discovered the joy of SSH!

I have set it up (on port 22) to only allow private key authentication and only on one user account with root access disabled.

Now I have forwarded port 22 on my router to the IP address of the one machine to which I want access (O/S Fedora Core 4) where it is met by my software firewall (Firestarter / IPTables). In this I have poked a hole through for access from my work IP address - and ONLY that IP address.

This is great - and it all works just fine - but suppose I want to use my laptop in (say) an Internet cafe or from a friend's house?

To do that I would (surely?) have to open up port 22 to everyone? If I do so will I have thousands of script-kiddies hammering on that door?

At the moment the firewall is reporting c. 5 or 6 portscans (I presume that's what they are) per day on that port, but Shields Up reports that I am invisible on all ports.

If I open that port to enable me to access my home computer from wherever I am, I will no longer be invisible. Is there any way to prevent this or to ensure that it's not a problem?

Thanks for your advice

Mark

acid_kewpie · 02-09-2006, 07:25 AM

other than picking an obscure port number rather than 22, there's precious little you can do. if you want to get in from anywhere, you obviously have to allow from anywhere. you're much less likely to be spanked for running ssh on port 31293 (maybe your dog's birthday is 3/12/1993..) than port 22.

ArthurDent · 02-09-2006, 07:47 AM

Hmmmm... Never thought of that..

Thanks!

Is that what most folks do? - If so why is port 22 the de-facto port for SSH?

Even if I do use an obscure port I suppose that sooner or later someone's going to find that it's open. Is my setup as good as it needs to be?

Thanks again..

Mark

lucktsm · 02-09-2006, 08:12 AM

Since most brute force attacks check port 22 it's wise to move it to another obscure port.

Also there is a good firewall rule to add that detects someone trying to brute force your ssh ports. I got this from a Linux Journal article.

If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)

Now, to set the limit:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instread if you are using a firewall that has it's own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit --limit <rate> like this:

iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT

This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.

int0x80 · 02-09-2006, 09:09 AM

The best result I've had is moving SSH to listen on port 666, this stopped all of the SSH brute force attempts that were occurring on my box. Pick a port < 1024 since applications often open sockets on higher ports (> 1024) and communicate there. Additionally, don't allow root to login directly over SSH. Require only normal users and force them to use something like sudo if they really need to operate as root.