[CentOS] Ideas for stopping ssh brute force attacks

Wed Jul 23 00:07:12 UTC 2008
Les Bell <lesbell at lesbell.com.au>

Ned Slider <ned at unixmail.co.uk> wrote:

>>
I don't think anyone is suggesting running SSH on a non-standard port as
a sole means of defence
<<

I should hope not, but the point does bear making.

>>
We should also remember that public/private key authentication is only
secure as the host the private key is stored on when keys without
passphrases are employed (all too common where users don't want to trade
using a password for a passphrase).
<<

Another good point. This is why I strongly recommend the use of ssh-agent
(or Pageant for those with a Windows desktop) as a mechanism for minimising
the inconvenience of constant prompting for a strong key passphrase. Of
course, this has to be coupled with awareness of the need to lock the
workstation or unload the keys when leaving the desk.

The other piece of the puzzle is agent forwarding, so that I only need to
keep a private key on my workstation, even when logging in to a gateway
machine and then to a server beyond it. They private key file is always
under my local physical control - in fact, the truly paranoid can keep
their private keys on a USB device or a smartcard.

Using this approach, I can sit at my university office desk, provide a
passphrase once when loading a key into the ssh agent, and then connect
through firewalls to machines in my home office, with no further prompting
or inconvenience and very low probability of the private key being
compromised.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909