[SGVLUG] ssh protection - advice desired

Claude Felizardo cafelizardo at gmail.com
Wed Oct 19 00:36:41 PDT 2011


If you are running ssh just for yourself or at least a small set of
networking savy users, you could also try port knocking.

 I use a combination of things on my server at home:

1) non standard ports
2) fixed ports that only work from known locations like from my desktop at work
3) port knocking on another set of ports so I can connect from
unexpected locations like a friend's place


On Tue, Oct 18, 2011 at 9:22 PM, Sean O'Donnell <sean at seanodonnell.com> wrote:
> Running a public facing ssh server on port 22 is like hosting a honeypot for rogue brute force bots.
>
> If you can run on a non-standard port, you will see much less, if any, failed brute force attempts.
>
> Sent from my iPhone w/ love.
>
> On Oct 18, 2011, at 7:12 PM, "Robert Leyva" <mrflash818 at geophile.net> wrote:
>
>> Following the presentation on ssh tricks, I setup an sshd server instance
>> on my debian workstation, using public key auth, and was able to be
>> successful.
>>
>> I made sure to disable root login, and any password login attempts by
>> modifying sshd_config.
>>
>> In the hour I was testing the new wonder, I was also tail-ing my auth log.
>>
>> To my chagrin, in the two times I tested, I had many attempts to access my
>> ssh:
>>
>> Oct 18 01:59:55 pip sshd[26361]: Invalid user oracle from 197.112.2.4
>> Oct 18 02:00:02 pip sshd[26367]: Invalid user test from 197.112.2.4
>> Oct 18 02:08:34 pip sshd[26596]: Invalid user test from 197.112.2.4
>> Oct 18 02:08:42 pip sshd[26599]: Invalid user test from 197.112.2.4
>> Oct 18 03:12:02 pip sshd[27000]: Invalid user oracle from 111.87.108.120
>> Oct 18 03:12:09 pip sshd[27003]: Invalid user test from 111.87.108.120
>> ...
>> Oct 18 10:48:01 pip sshd[27953]: Invalid user peter from 184.105.177.21
>> Oct 18 10:48:07 pip sshd[27956]: Invalid user peter from 184.105.177.21
>> Oct 18 10:48:13 pip sshd[27958]: Invalid user sergei from 184.105.177.21
>> Oct 18 10:48:19 pip sshd[27960]: User root from 184.105.177.21 not allowed
>> because not listed in AllowUsers
>>
>> So, I am hoping I could get advice or suggestions on what further
>> protections I could add (if any).
>> - I don't think static firewall rules would help, as I am hoping to ssh
>> into my box from anywhere
>> - I am guessing there is a way to have automation block or slowdown
>> attempts if they begin to seem suspicious.
>>
>>
>> Me
>> --
>> "Knowledge is Power" -- Sir Francis Bacon
>>
>> Robert Leyva
>> mrflash818 at geophile.net
>>
>>
>


More information about the SGVLUG mailing list