Linux-Noob Forums Linux Server Administration Remote Access v
Improving Protection on SSH Connections

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Linear Mode
Improving Protection on SSH Connections
dspln Offline
Junior Member
**
Posts: 20
Threads: 6
Joined: Dec 2005
Reputation: 0
#7
2005-12-05, 08:59 PM (This post was last modified: 2005-12-05, 09:01 PM by dspln.)

Quote:Nowadays SSH scans are a fact of life...
My server had been up for 3 days before this got logged:
Quote:...Nov 20 06:05:43 tek1 sshd[20041]: Invalid user aaa from 211.192.139.21

Nov 20 06:05:44 tek1 sshd[20046]: Invalid user qqq from 211.192.139.21

Nov 20 06:05:46 tek1 sshd[20051]: Invalid user www from 211.192.139.21

Nov 20 06:05:47 tek1 sshd[20056]: Invalid user eee from 211.192.139.21

Nov 20 06:05:49 tek1 sshd[20061]: Invalid user rrr from 211.192.139.21

Nov 20 06:05:50 tek1 sshd[20066]: Invalid user ttt from 211.192.139.21

Nov 20 06:05:52 tek1 sshd[20071]: Invalid user yyy from 211.192.139.21

Nov 20 06:05:53 tek1 sshd[20076]: Invalid user uuu from 211.192.139.21

Nov 20 06:05:55 tek1 sshd[20081]: Invalid user iii from 211.192.139.21

Nov 20 06:05:56 tek1 sshd[20086]: Invalid user ooo from 211.192.139.21

...
;)

 

I did exactly as you did, including switching to rsa after I read the warning in Putty :)

 

I also use Putty Authentication Agent (PAGEANT.EXE) - to avoid retyping passphrases.

 

The one problem I have with sshd is, I changed it to run on a different port (6022), and ssh works fine, but sftp won't connect. Anyone know why this might be?

 

I also allow only my homeip to connect:

iptables -I INPUT -s ${homeip} -p TCP --dport 6022 -j ACCEPT

 

My home ip is DHCP, but it only changes when I change the router (like switching from a Linksys home router to a gentoo homebuilt router :)).

So in case my ip does change again, I added port knock to the server to allow the new address in

 

/etc/knockd.conf



Code:
[options]
    logfile = /var/log/knockd.log

[openMain]
    sequence    = 7000,8000,9000
    seq_timeout = 15
    command     = /usr/util/knockset.sh open %IP%
    tcpflags    = syn

[closeMain]
    sequence    = 9000,800,7000
    seq_timeout = 15
    command     = /usr/util/knockset.sh close %IP%
    tcpflags    = syn




 

/usr/util/knockset.sh



Code:
#!/bin/bash
#knockset.sh called from /etc/knock.conf
ports="8888 pop3s imaps https http domain smtp 6022"
ip=$2
doports () {
for p in $ports; do
    iptables -$IorD INPUT -s $ip -p TCP --dport $p -j ACCEPT
done
iptables -$IorD INPUT -s $ip -p UDP --dport domain -j ACCEPT
iptables -$IorD INPUT -s $ip -p icmp -j ACCEPT
}

open() {
IorD="I"
doports
}

close() {
IorD="D"
doports
}

case $1 in
open) open;;
close) close;;
[?]) print >&2 "Usage $0 [open] [close] ip.address.to.change"
    exit;;
esac




Find
Reply


Messages In This Thread
Improving Protection on SSH Connections - by znx - 2005-07-31, 10:42 PM
Improving Protection on SSH Connections - by znx - 2005-08-01, 05:45 PM
Improving Protection on SSH Connections - by znx - 2005-08-04, 01:01 AM
Improving Protection on SSH Connections - by dspln - 2005-12-05, 08:59 PM
Improving Protection on SSH Connections - by znx - 2005-12-05, 11:49 PM
Improving Protection on SSH Connections - by znx - 2006-05-06, 03:08 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)