nixCraft

Hello all,

Please share your tips and howto about avoiding failed login ssh attempt (brute ssh attack) and securing SSH based remote Login system.

This is kind of a group project and I am expecting to everyone share their valuable experience. Please consider following

SSH brute force attacks
SSH dictionary attacks
Buffer overflow attack
Securing shell access via ssh

Step # 1: Change the ssh port
Open config file /etc/ssh/sshd_config
Default port is 22 set to something else like 678
Step # 2: Bind ssh to specific IP address
Usually all server comes with 5 or more public IP address. No need to bind to all IP address. Just bind to one IP address.
Step # 3: Only use SSH protocol 2
Step # 4: Do not allow root to login
Step # 5: Deny root user login
Step # 6: Setup login banner
Save and close file. Create file
Type message in file
Save and close file. Restart sshd
Now to login always use:
For scp use -P port option
How to Disable SSHD password authentication
As suggested by monk you can automate password less logins with ssh client keys instead of password authentication.

Type at your local Linux/UNIX workstation; create a public/private key pair:
Just press [Enter] key when promoted for a passphrase. Just hit [Enter] key twice. Now you have ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. Copy ~/.ssh/id_rsa.pub file to your remote ssh server using scp:

First login to remove server over ssh and create .ssh directory:
Now create .ssh dir and set permission to 0700
Now type following at client system (copy file to remote server as authorized_keys2)
Now you can login to remote system w/o password from your local Linux/UNIX workstation.

On serer open /etc/ssh/sshd_config
And disable password authtication
Restart sshd

__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat

Rocky I am not good at securing servers but here is the command that will tell you if you are under attack. It will list failed login attempts along with host/ip address:

O/P

__________________
Raj
Linux rulz.
I have never turned back in my life ; I shall not do so today.. haha

Well this can be done by installing the csf firewall found here: http://www.configserver.com/cp/csf.html
It can do all the following:
This suite of scripts provides:

* Straight-forward SPI iptables firewall script
* Daemon process that checks for login authentication failures for:
o courier imap and pop3
o ssh
o non-ssl cpanel / whm / webmail (ssl cpanel/whm login tracking support available in EDGE release)
o pure-pftd
o password protected web pages (htpasswd)
o mod_security failures
* POP3/IMAP login tracking to enforce logins per hour
* SSH login notification
* SU login notification
* Excessive connection blocking
* WHM configuration interface
* WHM iptables report log
* Easy upgrade between versions from within WHM
* Pre-configured to work on a cPanel server with all the standard cPanel ports open
* Auto-configures the SSH port if it's non-standard on installation
* Block traffic on unused server IP addresses - helps reduce the risk to your server
* Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
* Suspicious process reporting - reports potential exploits running on the server
* Excessive cPanel user processes reporting
* Excessive cPanel user process usage reporting and optional termination
* Suspicious file reporting - reports potential exploit files in /tmp and similar directories
* Directory and file watching - reports if a watched directory or a file changes
* Block traffic on the DShield Block List and the Spamhaus DROP List
* Pre-configured settings for Low, Medium or High firewall security
* Works with multiple ethernet devices
* Server Security Check - Performs a basic security and settings check on the server
* Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
* Alert sent if server load average remains high for a specified length of time


To enable the ssh login failure detection do:
LF_SSHD = "1"

__________________
LivE Free 0r DiE
L!nux rul3z aLL

y0 can use CSF with lfd as binary say or APF with bfd

B!n@ry, excellent find

This is new to me, generally I use apf or write iptables from scratch for client. BDF is also good.

__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool

nixCraft, its not a "find" its installed on our Servers

Ohhhh, man all from scratch ???? what a head ache

__________________
LivE Free 0r DiE
L!nux rul3z aLL

Why not disabling password authentication? This will almost solve all problems.

Sure it is a pain but sometime you have to write everything from scratch. If you are setting up a cluster or complicated networking APF or other scripts are not useful.

And not to mention you can make some good money by providing customized solution

this post rockz

make sure your file permissions on both ~/.ssh/* and server:~/.ssh/* set to 0600. Your private key file id_rsa must be present only on your local Linux/UNIX workstation.

Chk out Top Ten Secure Shell FAQs http://www.oreillynet.com/pub/a/orei...tips_0101.html
LOL ... do u have your own box for learning or for business??? I think nixcrat is not using any sort of CP just a guess

Bye

__________________
Friends - v-nessa - missyAdmin

Here is the line from my pf firewall script
My pf limits the connection rate to port 22 to five per minute. You can set to 2 or anything else. It will stop attacker who is trying out attack on ssh server as my firewall blocks incoming request to 5.

For iptables see tutorial written by our friends @ debian-administration.org http://www.debian-administration.org/articles/187

@sweta
I do use CP for clients but personally I don't use any CP. I was not aware of csf firewall script or module. There are tons of such script exists.

@bin@ry
Hehe yes sometime I do write it from scratch

@monk
Buddy don't give us our secrets in public making money is not bad I guess :P

__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool