We have a public server and we did the following for SSH:
* Only Protocol v2 * Only key authentication, no password and large keys (just for the fun). * Disable root login. * Monitoring, we usually blacklists IPs trying to log in with many unsuccessful attempts, using some custom scripts and iptables, but there is many programs available for this now.
Additionally you could also add:
* Throttling, you could throttle the amount of connections to the port, there is already many tutorials on this on the internet.
I find setting a non standard port useless, all you need is to keep your ssh server updated (including libraries) and follow common security criteria and you should sleep soundly every night.
On Tue, Mar 25, 2008 at 5:33 PM, Robert Spangler mlists@zoominternet.net wrote:
On Tuesday 25 March 2008 12:55, Rudi Ahlers wrote:
Tim Alberts wrote:
So I setup ssh on a server so I could do some work from home and I think the second I opened it every sorry monkey from around the world has been trying every account name imaginable to get into the system.
What's a good way to deal with this?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
- Change the default port
Is an option but a waste of time as a scanner will find the port it was moved to.
- use only SSH protocol 2
Agree
- Install some brute force protection which can automatically ban an IP
on say 5 / 10 failed login attempts
Fail2ban comes to mind.
- ONLY allow SSH access from your IP, if it's static. Or signup for a
DynDNS account, and then only allow SSH access from your DynDNS domain
I would suggest using keys for logins. No password needed and if the connecting machine doesn't have the key they don't get a chance to guess at the password.
The idea of only allowing for strict ip address is good but what if you are on the move? Now you cannot log in either, but if you are using a key no matter where you are you have access.
--
Regards Robert
Smile... it increases your face value! Linux User #296285 http://counter.li.org
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos