[ale] Pretty Ugly Out There!

Bob Toxen transam at verysecurelinux.com
Wed Mar 8 16:47:43 EST 2006


1. Pick strong passwords of at least 10 chars, preferably 15 or more
   with at least 3 words and 3 non alphanumerics.

2. Use IP Tables/IP Chains to limit what IPs can SSH in.  Most ISPs
   use a few Class C IP ranges for a given home system so include those
   if you want to allow your home system to SSH into work.  Note that
   this also guards against SSH day-0 vulnerabilities as the packets
   will not even get to SSH (Hi Mike "Orc" Warfield).

3. Switch to using only public/private key pairs for SSH and edit the
   /etc/ssh*/sshd_config file to disallow passwords.

4. Read my book and use the script that processes "tail -f /var/log/messages"
   to add firewall rules to lock out IPs that that guess wrong SSH passwords
   more than, say, 3 times in a short time.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Wed, Mar 08, 2006 at 09:03:41AM -0500, Mills, John M. wrote:
> ALErs -
> 
> I'm currently logging many hundreds - perhaps thousands - of daily
> attempts to get SSH logins on my home box. They come in sequences of
> user names (10-20 typically) from one IP, then a different bunch from
> another. The guessed account names are starting to cycle through searchs
> that might actually hit a real username.
> 
> I would like to lock any given originating IP out of access or out of
> SSH login for some period after some number of failures (against
> different usernames). Is there a simple way to do this with or between
> 'ipchains' and 'open-ssh'?
> 
> Also, what steps should I take to smoothly migrate a user from one
> username to another? I.e. if I just change the login name in 'passwd',
> shadow' and 'groups', what side effects am I likely to hit?
> 
> This box started as RH-7.3, though it's evolved quite a bit with time
> (SSH updates in particular).
> 
> Thanks.
> 
>  - Mills
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list