| 1 |
Jason Booth wrote: |
| 2 |
> On Monday 23 October 2006 13:21, Brian Davis wrote: |
| 3 |
>> What do you folks do to harden SSHD? I'm looking for some pointers. |
| 4 |
|
| 5 |
> The main thing I have noticed lately is the huge volume of brute-force |
| 6 |
> attacks: |
| 7 |
> |
| 8 |
> Using DenyHosts is pretty much a necessity now. |
| 9 |
> app-admin/denyhosts |
| 10 |
|
| 11 |
I disagree. With password-auth disabled (in favour of public/private |
| 12 |
keys) there are only three things to worry about with these brute-force |
| 13 |
attacks: |
| 14 |
|
| 15 |
1. Log spam |
| 16 |
|
| 17 |
2. DoS |
| 18 |
|
| 19 |
3. Bandwidth charges |
| 20 |
|
| 21 |
With regard to (1), any decent log analysis program will be able to |
| 22 |
filter out the spam entries. |
| 23 |
|
| 24 |
With regard to (2), I've yet to see any DoS effect from these attacks, |
| 25 |
although I suppose it's possible with ancient hardware and a pitifully |
| 26 |
small internet connection :-) |
| 27 |
|
| 28 |
With regard to (3), bandwidth charges will be incurred regardless of any |
| 29 |
filtering performed at your machine, since the traffic still reaches |
| 30 |
your box (as far as your upstream provider is concerned). |
| 31 |
|
| 32 |
Obviously, it would be nice to reduce the volume of log spam and the |
| 33 |
total volume of attack traffic being sent to your box, but there are |
| 34 |
much simpler ways to achieve these - using denyhosts just complicates |
| 35 |
things and provides serious attackers (ie. those using exploits, rather |
| 36 |
than password brute-forcing) with another avenue of attack. Any |
| 37 |
application that parses log files containing data supplied by an |
| 38 |
attacker is potentially vulnerable to an exploit - particularly when the |
| 39 |
application in question runs with root privileges and/or modifies a |
| 40 |
firewall. |
| 41 |
|
| 42 |
I've seen many recommendations for port knocking, but I feel that's |
| 43 |
unnecessarily complex when compared to simply changing the port sshd |
| 44 |
listens on. While the use of port knocking no doubt further decreases |
| 45 |
your exposure over an alternate sshd port, the difference is only a |
| 46 |
small percentage of the benefit you receive from moving away from port |
| 47 |
22 in the first place. |
| 48 |
|
| 49 |
There is an excellent article at |
| 50 |
http://www.debian-administration.org/articles/187 describing the use of |
| 51 |
the "recent" netfilter module in stopping brute-force ssh attacks at the |
| 52 |
firewall level. In addition to its simplicity when compared to denyhosts |
| 53 |
or a similar application, the netfilter approach can be used at your |
| 54 |
border router to protect the entire network. A host-based solution would |
| 55 |
allow one attack against each host, where as the netfilter approach can |
| 56 |
limit this to one attack against any single host on the network. While |
| 57 |
denyhosts can also achieve this, it requires the use of a central server. |
| 58 |
|
| 59 |
Cheers |
| 60 |
|
| 61 |
Andrew |
Archives