LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2008, 11:35 AM   #1
ahmad19
Member
 
Registered: Apr 2008
Posts: 36

Rep: Reputation: 15
how secure ssh is


hi,
can some one tell me how ssh is secure? what kind of attacks ssh can resist.
 
Old 04-24-2008, 11:50 AM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
A properly configured SSH server is very secure. There have been a few DoS exploits for OpenSSH that I am aware of, but few and far between.

Mainly you want to make sure that only protocol version 2 is enabled in the configuration file, and disable root logins. You might also want to strengthen your defenses against password guessing by limiting the simulations connections (assuming this will not impact your use of the server) and decreasing the allowed login failures. You can set the server up so that brute forcing the password would take so insanely long that nobody would ever try.

Of course, the human element is always the most important. Use strong passwords. If you are using weak passwords, it doesn't matter how secure OpenSSH is. In fact, if you can manage it, use a strong password in addition to a public/private key.
 
Old 04-24-2008, 02:05 PM   #3
beadyallen
Member
 
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
SSH is also vulnerable to Man In The Middle (MITM) attacks in much the same way as ssl/tls is. If you heed the warnings about 'unrecognized/invalid fingerprints' though you should be safe. Of course, ssh only protects you 'point to point', so if either your local or remote machine are compromised, then ssh won't protect you.

Last edited by beadyallen; 04-24-2008 at 02:06 PM.
 
Old 04-27-2008, 02:43 PM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
"ssh" is ... "a shell."

Therefore, unless you take sensible steps to secure it, "ssh" is a great-big-hole.

Why? Because it allows anyone-on-the-planet to fire "user/password" combinations at your computer, and if any one of them is accepted, "they're in." (The fact that the communications are encrypted does not matter.)

"ssh" has a variety of security options available, including digital certificates. But, it has the very-annoying characteristic that it will start with the most-secure option but then offer less- and less-secure alternatives until it gets a login.

So... what you need to do is to make very sure that "ssh" insists upon some form of identification much stronger than "username/password" and that it will offer "a password prompt" only if those stronger forms of authentication have been cleared.

Your "ssh" daemon should never offer "a password prompt" to "just anyone." And, it does not have to.
 
Old 04-27-2008, 03:53 PM   #5
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197

Rep: Reputation: 105Reputation: 105
I didn't notice anyone mentioning updates yet.

With any system software where you are concerned about security, you have to watch the changing landscape (security postings and exploit news) and make sure you keep your software up to date. A couple of years ago all of the department sysadmins in my organization were notified that a new exploit had been uncovered in openssh. They were told they needed to update immediately. Later, one of the departments had their machines broken into. Turns out that sysadmin had installed the update patches, but didn't get around to rebooting. So the running processes were still the old version.

Anyway, always stay up to date with system patches and software updates.

Even then you should use something like tcpwrappers with openssh or other system services. Then you can block out sites or domains that offend, or if you don't really need to allow acceess from everywhere, block it from everywhere except specific places you need access from. Set it to paranoid so that it requires a successful reverse DNS before allowing a connection.

And, then, read logs. Keep an eye on what's happening and who's hitting you. I constantly see repetitive attacks on the ssh port on my servers. On some machines, I have most everything blocked and don't see much. For other machines I have to have it open.
 
Old 04-27-2008, 09:27 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
You obviously can't stop "anyone from the outside world" from robotically attacking your ssh port. But you can, with the techniques aforementioned, prevent him from getting far-enough to actually be able to attempt login.

Set up your system so that it requires a digital certificate, and so that it will accept nothing less. Digital certificates are like security-badges: either you possess one or you don't. Unless you have one, you're not even allowed to "say the magic word."
 
Old 04-28-2008, 02:53 AM   #7
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,290

Rep: Reputation: 62
Like everyone here has mentioned, I think the only way to secure one program, is to secure everything else. Like any chain, it's only as strong as its weakest link.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How Secure is SSH? AvatarofVirgo Linux - Security 8 08-14-2011 12:37 PM
SSH -2 as secure as VPN? Lexia Linux - Networking 1 02-23-2007 03:24 PM
What is the best way to secure SSH? punjabipredator Linux - Security 21 01-04-2007 09:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
how to secure ssh chongluo Linux - Security 3 11-04-2004 07:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration