Tim Alberts wrote:
So I setup ssh on a server so I could do some work from home and I think the second I opened it every sorry monkey from around the world has been trying every account name imaginable to get into the system.
What's a good way to deal with this?
- keep your ssh up to date. - only enable protocol version 2 - disable root login - create a group and only allow login to members of this group. - the authorized users should have a strong password, if password authentication is enabled - better not use logins that are the same as email addresses as these can be eaisly harvested and tried. - use public key authentication - depending on your situation, you can disable password authentication. however, make sure you don't lock yourself. also, if your users need to connect from anywhere, they can't use a key (except if they have a usb key or the like) - if possible, only allow access from a specific set of IPs/networks. - "rate limit". you can use iptables recent module to catch multiple attempts. - "punish". you can parse your logs and add offenders to a blacklist (to be used in iptables). denyhosts, fail2ban, ... can be used here. make sure not to lock yourself. so always have a rule to allow access from some trusted IP before the rule that blocks access. - you can restrict access to IPv6, IPSec or any VPN if you can always use these. but if you have a VPN, you may or may not need ssh. - if you have multiple machines, consider allowing free access to only few of these, and then use them as gateways. not very practical though. - change the port. while this doesn't make your system more secure, your logs will become silent. This may not be practical (need to specify the port in scripts... etc). you can use two ports (using two Port statements in sshd_config) and have different configurations (only allow port 22 from specific networks for example). - a log parser could run geoiplookup and add IPs to an iptables blacklist if they are in a "far away" country. - you can add a "pre-authorization" mechanism: user must do something before trying to ssh. In these web days, a web form is both easy to setup and use (compare this to "port knocking", SPA, ...). One problem here is that you don't want to give the web user the ability to change your iptables configuration without extreme care. - configure a banner so that your users get used to see it. if they connect and don't see your banner, they should alert you. (
Note. if your users connect with passwords from "unsafe" places, keyloggers and the like can steal their login/password or their key file and passphrase.