1 |
In gmane.linux.gentoo.user, you wrote: |
2 |
> On Sunday 15 November 2009 08:21:55 Walter Dnes wrote: |
3 |
>> On Sat, Nov 14, 2009 at 07:07:28PM -0500, Richard Marza wrote |
4 |
>> |
5 |
>> > Thank you for the information, I did find that denyhost and fail2ban in |
6 |
>> > threads but there were issues with it not working properly. Some users |
7 |
>> > created custom scripts to get the job done correctly. |
8 |
>> |
9 |
>> Have you considered not allowing password-based logins at all for ssh? |
10 |
>> Use RSA keys instead. It's much easier, and much more secure. |
11 |
> |
12 |
> fail2ban and/or denyhosts is still very useful with key-only auth, even if |
13 |
> only to get the spam out of messages and into the iptables logs |
14 |
|
15 |
I've hardened ssh by doing the following: |
16 |
|
17 |
* Only allow certain users to ssh |
18 |
* Not allowing passwd login, but only RSA |
19 |
* Switching ssh to a non-standard port |
20 |
|
21 |
This has dramatically reduced the amount of attacks my box gets. It's |
22 |
down to about 2 attacks per year, which is good enough for me. Another |
23 |
trick I learned about, but haven't implemented is changing the version |
24 |
string in sshd by patching the source. Ssh vunarability attacks |
25 |
actually check the version string, so if you change it to something |
26 |
unique, the scripts won't even try to get into your box. |