[plug] ssh scans
Shannon Carver
shannon.carver at gmail.com
Mon Sep 11 09:30:43 WST 2006
Apart from all the obvious (Changing SSH port, disallowing connections from
all unknown hosts, or at least allowing connections from known hosts
subnets), there are a few nifty things you can do with iptables.
Two idea's I've seen in the past (using iptables):
- Limit the amount of connections to SSH from said IP, both by connection
basis and by time. Basically allow one connection from an IP, both
concurrently, and per every 3-10 minute time period. That way, if they
connect, get the password wrong 3 times, they physically can't connect to
try again for set time period.
- Have a web service running on an arbitary port (think 57435 or something),
which when connected to opens Port 22, or SSH port for that IP for a time
period.
I'm not sure if it will help, and how in-the-know your users are, but you
could disable password access completely, and require everyone to login with
public/private keys? I'm not sure if this adds more security concerns
though.
> -----Original Message-----
> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
> Of W.Kenworthy
> Sent: Monday, 11 September 2006 9:19 AM
> To: Plug List
> Subject: [plug] ssh scans
>
> I have a machine where ssh has been changed from being protected by
> firewall rules, to be open to the world. So of course, now I am getting
> ssh scans.
>
> There are also a small number of users whose passwords I do not
> necessarily trust (time for jack the ripper!), so whats the thinking on
> the best way to secure against such scans? Is there something in ssh,
> or amultiple connection firewall restriction?
>
> BillK
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
More information about the plug
mailing list