[plug] ssh scans

Shayne O'Neill shayneo at bestflights.com.au
Wed Sep 20 09:14:44 WST 2006 

For SSH I suggest 2 things
 
1) "Disable" root. By this I mean, just set an improbable password that
will never ever be discovered because its 300 characters of shite. Or
whatever. Then setup SUDO and set it up well.
2) Install fail2ban. fail2ban just ban's IP's that scan or cause
multiple auth errors.

________________________________

From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Jonathan Young
Sent: Tuesday, 19 September 2006 6:40 PM
To: plug at plug.org.au
Subject: Re: [plug] ssh scans


I would also suggest preventing ssh shell access for users with dodgy
passwords or for those who don't need it.

For example, on most of my Linux boxes, I have ssh access and sudo
rights, but you cannot log in as root via ssh.

Stuart Midgley wrote: 

	rules like these can also assist 
	
	-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state
NEW -m recent --set --name SSH --rsource 
	-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state
NEW -j SSH_WHITELIST 
	-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state
NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH
--rsource -j LOG --log-prefix "SSH_brute_force" 
	-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state
NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH
--rsource -j DROP 
	
	which only accept 5 connections in 60s to port 22... if it gets
more than that, it drops the packets.  Doesn't work with old versions of
iptables. 
	
	Stu. 
	
	
	
	On 11/09/2006, at 9:34, Shannon Carver wrote: 
	
	

		Interesting!  Jason's IPB Monitor sounds like a good
all-in-one package, 
		might give it a go tonight for my home Machine. 
		
		I'm lucky in my current position, that most of the boxes
I administer, I do 
		so on my own, so I can limit SSH connections to a set of
IP's where I'll be 
		connecting from, or in the case that other users do need
SSH access to the 
		system they're usually only connecting from Work
connections anyway (static 
		IPs), VPN etc. 
		
		Thanks for the IPB monitor link! 
		



	-- 
	Dr Stuart Midgley 
	Industry Uptake Program Leader 
	iVEC, 'The hub of advanced computing in Western Australia' 
	26 Dick Perry Avenue, Technology Park 
	Kensington WA 6151 
	Australia 
	
	Phone: +61 8 6436 8545 
	Fax: +61 8 6436 8555 
	Email: industry at ivec.org 
	WWW:  http://www.ivec.org 
	
	
	
	_______________________________________________ 
	PLUG discussion list: plug at plug.org.au 
	http://www.plug.org.au/mailman/listinfo/plug 
	Committee e-mail: committee at plug.linux.org.au 
	
	



-- 

Jonathan Young
Director of PC-PHIX
jonathan at pcphix.com

Phone: 0410 455 674
Web: http://www.pcphix.com/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060920/0675bf13/attachment.html>

More information about the plug mailing list