Hi!
I run a webserver and I can see every morning how each night some people try to intrude the server trough ssh. Those intrusions'attempt happen fast only at night because they come mostly from overeseas.
since none of our administrators does have to work between 2 a.m and 6 a.m I though that I could shut doen the ssh daemon during this time.
now my questions:
1) would it make sense to shut down my sshd every night?
2) if yes, how am I supposed to do so? when I shut down my sshd, I use kill. But how am I supposed to shut it down using cron?

thanks.

would it make sense to shut down my sshd every night?
Best way is to first harden the boxen, sshd (protocol, allowed access, passphrases) and network access to them and implement one method of http://www.linuxquestions.org/questi...d.php?t=340366. "Server" implies services should be continuously accessable. I know a lot of people who work on servers when other people sleep, so I wouldn't do it. Besides, in case of emergency, how are you going to access the box? Or do you use a web-based admin interface? In any case I'd discuss it with the responsable people first.
If you however feel you need to shut down services then at least use the proper initscript command like "/etc/init.d/sshd {stop,start}".

Something I've found quite useful (it keeps those Korean and Chinese sites out of your pants) is http://denyhosts.sourceforge.net. It's a daemon that monitors your system logs for unsuccessful ssh login attempts (such as the Korean and Chinese [and too many other] dictionary or brute force attacks) and quickly adds the attacker's IP address to /etc/hosts.deny, effectively making you a black hole to them. It also shares bad guy addresses with other DenyHosts users around the world and updates /etc/hosts.deny periodically -- significantly better than fooling around with iptables constantly in my book.

Worth a look-see.

Bah don't shut it down, be more creative than that. Implement PORT KNOCKING

Port knocking will allow the port to remain closed so it doesn't show up in port scans until you knock on the door by touching the right numbered ports in the correct order and SHAZAM !! the port for ssh (or whatever service) is suddenly available for you to login.. It's like installing an electronic combination lock on your system.

more info
http://www.linuxjournal.com/article/6811
http://en.wikipedia.org/wiki/Port_knocking
http://doorman.sourceforge.net/ (knocking program including one for windows)

Move SSHD to a different port to prevent automated attacks.

Check out Modify SSH to Maximize Security to learn some simple ways to improve your SSHD security.

Moving a listening port can be considered "security by obscurity". The only reason the foogazi article uses for changing ports is that it thwarts botnet tools but fails to mention that if you scan a port range and combine it with a banner scan you will find the port anyway. The article also doesn't mention using passphrases instead of passwords and limiting exposure through either iptables or hosts/allow (if compiled with -libwrap) if access allows it (as in admin access vs. pub access). It also doesn't mention the tools posted in http://www.linuxquestions.org/questi...d.php?t=340366 (of which DenyHosts is one).


I don't see how Port knocking enhances security. AFAIK it does not use any form of authentication or authorisation, so if no other restrictions are in place then brute-forcing the sequence should give you access to sshd. I'm tempted to call it a form of "security by obscurity" as well.

If you're sure no one's going to login at night why not simply run a cron job which shuts down sshd at 12:00pm midnight? Another cron job could turn it on 8:00am or whenever you need it.

Also I'd suggest doing:
1.Move Sshd to another port. Reason being it'd probably stop a lot of automated codes which brute force anything running on port 22 if they find it open.

2.True.. A full scan with a version scan will catch Sshd running on port 54657 but its still better thn running it on 22. Wastes more attacker time.

3.Harden SSH .. there are loads of guides available.

4.Why allow it over the Internet?? If you have firewall block it off over the Internet...except for your own home IP maybe...soemthing like...

allow MyIP Linuxserver 22
deny everyone Linuxserver 22

The cron should do the job though if you're sure no one's gonna login to your box or theres no application running which internally uses SSH during the hours when sshd is off.

Cheers
Arvind

True someone could brute force the sequence, but they would have to think to try.. They would need to know what port they are trying to unlock otherwise how would they know when they hit the combination? and there are how many ports per IP addess (65537 UDP ports alone) ? The ASCII charachter set doesn't provide that many possibilites.. so 65537 ports would make how many sequence combinations ? which would also depend on how many knocks you set your combination for. quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.

I'm not saying it's a perfect solution but if all your services are 'locked' with port knocking a scan against your machine will show no open ports.. is a cracker really going to bother to continue to go after that machine ? how long would it take to attempt to brute force that knocking sequence ? and theres still a username and password once you get the port open. or would they move on to a softer target. you know some person that has a ton of services running by default and all their ports open.. a true playground..

I dont think that I would agree with calling port knocking security through obscurity.. although I can see your point.

You could also set the firewall to block all forign IP addresses from your SSH port. If one of you're admins goes on holiday just allow that country for a few weeks.

As for port knocking, its security through obsucrity because not knowing that the ports arn't really closed, and not knowing the combination is what keeps attackers out. However passwords are also security through obsurity and we all know their usefull Port knocking is a great tool.

True someone could brute force the sequence, but they would have to think to try.. (..)
But I don't need to think about it if I can use a brute-forcing tool.


quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.
Yes, but people don't like (password) complexity so chances are knock sequences will not be complex too.
Also knocking definately is overhead since it requires you to do something "extra".


I would really like to see people focus on basic host and network hardening before thinking about "fancy stuff".

However passwords are also security through obsurity
Can you explain why you find using passwords provides a false sense of security?

I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking

I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking
I can't see anyone marking using passwords as an example of "security through obscurity" so I'm afraid I have to conclude you're just skewing things out of true.

I wouldn't consider Port Knocking to be Security by Obscurity. In order to brute force a sequence of just 4 knocks it would require 65537* 65537* 65537* 65537 combinations = 1.84478700E+19!!! At this point you're basically at the level of difficulty on par with breaking encryption algorithms. Can it be done with brute force? Sure, but the number of years required to accomplish it with current computing power and network bandwidth would mean that the system you're trying to crack will be obsolete before you even have a 1% chance of getting in.

My personal definition of SbO is: Any measure that only trivially increases the amount of effort required by a savvy attacker.

Moving a service to a different port isn't going to fool a savvy attacker. They will simply run nmap, or another port scanner against your system and quickly find out that SSH is on a different port. This will generally only take a minute or two, thus it's trivial. The same would be true of something like changing the banner for your Sendmail daemon to say that it was Postfix. Any savvy attacker is going to fingerprint the service (again, namp) and find out that it's really Sendmail, or they won't even waste time attempting to discover if the MTA is likely to be vulnerable, they'll just run their exploit and find out that it works without even caring how it identified itself.

Port Knocking essentially has similar properties to cryptography, which is far from SbO. Using passwords significantly increases the difficulty over simply guessing a correct username (assuming you have a minimum length of 8 characters and some complexity requirements). Passwords are not SbO, either.