1 |
Jason Booth wrote: |
2 |
> On Monday 23 October 2006 13:21, Brian Davis wrote: |
3 |
>> What do you folks do to harden SSHD? I'm looking for some pointers. |
4 |
|
5 |
> The main thing I have noticed lately is the huge volume of brute-force |
6 |
> attacks: |
7 |
> |
8 |
> Using DenyHosts is pretty much a necessity now. |
9 |
> app-admin/denyhosts |
10 |
|
11 |
I disagree. With password-auth disabled (in favour of public/private |
12 |
keys) there are only three things to worry about with these brute-force |
13 |
attacks: |
14 |
|
15 |
1. Log spam |
16 |
|
17 |
2. DoS |
18 |
|
19 |
3. Bandwidth charges |
20 |
|
21 |
With regard to (1), any decent log analysis program will be able to |
22 |
filter out the spam entries. |
23 |
|
24 |
With regard to (2), I've yet to see any DoS effect from these attacks, |
25 |
although I suppose it's possible with ancient hardware and a pitifully |
26 |
small internet connection :-) |
27 |
|
28 |
With regard to (3), bandwidth charges will be incurred regardless of any |
29 |
filtering performed at your machine, since the traffic still reaches |
30 |
your box (as far as your upstream provider is concerned). |
31 |
|
32 |
Obviously, it would be nice to reduce the volume of log spam and the |
33 |
total volume of attack traffic being sent to your box, but there are |
34 |
much simpler ways to achieve these - using denyhosts just complicates |
35 |
things and provides serious attackers (ie. those using exploits, rather |
36 |
than password brute-forcing) with another avenue of attack. Any |
37 |
application that parses log files containing data supplied by an |
38 |
attacker is potentially vulnerable to an exploit - particularly when the |
39 |
application in question runs with root privileges and/or modifies a |
40 |
firewall. |
41 |
|
42 |
I've seen many recommendations for port knocking, but I feel that's |
43 |
unnecessarily complex when compared to simply changing the port sshd |
44 |
listens on. While the use of port knocking no doubt further decreases |
45 |
your exposure over an alternate sshd port, the difference is only a |
46 |
small percentage of the benefit you receive from moving away from port |
47 |
22 in the first place. |
48 |
|
49 |
There is an excellent article at |
50 |
http://www.debian-administration.org/articles/187 describing the use of |
51 |
the "recent" netfilter module in stopping brute-force ssh attacks at the |
52 |
firewall level. In addition to its simplicity when compared to denyhosts |
53 |
or a similar application, the netfilter approach can be used at your |
54 |
border router to protect the entire network. A host-based solution would |
55 |
allow one attack against each host, where as the netfilter approach can |
56 |
limit this to one attack against any single host on the network. While |
57 |
denyhosts can also achieve this, it requires the use of a central server. |
58 |
|
59 |
Cheers |
60 |
|
61 |
Andrew |