Linux Security Experts

[Netopia]

http://www.itwire.com/content/view/13841/53/1/1/

It looked like a good idea to me, but I'm not super knowledgeable in this area. What think you?

Joe

 

[TonyRic]

It is a great idea for organizations and the truly paranoid. But more security is never a bad idea.

 

[Skeeedunt]

Seems like a fine idea, thought I wonder how often it really comes up. I see plenty of drive-by attacks in the logs, but never noticed a genuine brute-force attempt. Probably depends on who/where you are.

If you really wanted to get serious though, wouldn't you just disable password authentication altogether and use public key authentication?

(Disclaimer: not a Linux security expert )

 

[Netopia]

Perhaps I should look into using PKA, but I like the idea of me being able to log in from anywhere I have ssh available, and PKA would pretty much kill that.

Joe

 

[Nothinman]

The idea in the article isn't a bad one but it only covers port 22 and you'd need one set of rules per port that you want to protect, unless you don't mind them all sharing the same timing pool. If you have strong enough passwords or PKA the main advantage to those rules would be cleaner logs.

Perhaps I should look into using PKA, but I like the idea of me being able to log in from anywhere I have ssh available, and PKA would pretty much kill that.

PKA wouldn't kill that if you just carried around a flash drive with your key on it.

 

[child of wonder]

While working at an ISP we saw lots of brute force attacks in the logs. We ended up installing denyhosts. Basically if someone attempts an SSH log in and gets it wrong 5 times (or whatever number you set) their IP gets added to /etc/hosts.deny to block them from SSH access (or ANY access if you want).

We'd have betting pools on how many new IPs would get added over the weekends sometimes.

 

[Netopia]

Nothinman, I like the key on USB idea.

C.O.W., that's a good story.

Joe

 

[skyking]

I employ strong passwords, no root login, and used keys for any automated operations.
Since I don't run SSH servers for anyone else's convenience, I use a nonstandard port.
since the port change, my logs have no failed login attempts save my own ham-fisted ones.

 

[DaiShan]

I use a perl script called sshblack that monitors my auth logs for failures, if three failures are detected from an ip address, an iptables rule is added to drop all packets from that IP address for 3 days. The other option is to use multifactor auth (something you have AND something you know) It is also good practice to disable root logins over ssh (PermitRootLogin no) that way an attacker would have to guess the user AND the password instead of just the password

 

[DaiShan]

Originally posted by: child of wonder
While working at an ISP we saw lots of brute force attacks in the logs. We ended up installing denyhosts. Basically if someone attempts an SSH log in and gets it wrong 5 times (or whatever number you set) their IP gets added to /etc/hosts.deny to block them from SSH access (or ANY access if you want).

We'd have betting pools on how many new IPs would get added over the weekends sometimes.

/etc/hosts.deny only applies to services that are run through inetd (or xinetd) usually ssh is run as a daemon by init so adding rules to /etc/hosts.deny won't do much for you.

Also Netopia, the key on the USB is a great idea and true multi-factor authentication (a sox requirement for remote access) and not difficult to set up!

 

[Nothinman]

/etc/hosts.deny only applies to services that are run through inetd (or xinetd) usually ssh is run as a daemon by init so adding rules to /etc/hosts.deny won't do much for you.

That's not true at all, anything linked against TCP wrappers (libwrap) uses /etc/hosts.*.