[CentOS] Ideas for stopping ssh brute force attacks

Tue Jul 22 12:40:34 UTC 2008
Michael Semcheski <mhsemcheski at gmail.com>

On Tue, Jul 22, 2008 at 12:12 AM, Guy Boisvert
<boisvert.guy at videotron.ca> wrote:
> Michael Gabriel wrote:
>>
>> just wanted to get some feedback from the community. Over the last few
>> days I have noticed my web server and email box have attempted to ssh'd to
>> using weird names like admin,appuser,nobody,etc.... None of these are
>> valid users. I know that I can block sshd all together with iptables but
>> that will not work for us. I did a little research on google and found
>> programs like sshguard and sshdfilter. Just wanted to know if anyone had
>> any experience with anything like these programs or have any other advice.
>> I really appreciate it.
>>
>
> I don't know if anybody on this list tried SPA (Single Packet
> Authorization):
>
> http://www.linuxjournal.com/article/9565
>
>
> As another person mentioned earlier, the idea of using VPN is very good.
>
> I use pfSense and the VPN server inside gives the connecting user an address
> on a virtual subnet.  Each user is given a distinct fixed ip address.  Then
> it's easy to setup firewall rules based on what you allow the user to do.  I
> do 10 Mbps symmetric with a "recycled" 1U Dell PowerEdge 350 (PIII/800, 512
> Megs RAM).  We do QoS (we have 1 WME Streaming Server, 1 Darwin Streaming On
> Demand Server, FTP, DNS, SMTP, etc).  The CPU usage is very low.  I love
> pfSense a lot.  The only thing i struggled a little was when i tried to
> authenticate the user with Active Directory (M$ IAS = RADIUS).  It works but
> i have yet to find a way to assign a fixed address to each user.  I can do
> this if i use pfSense integrated user manager (for VPN).
>
> In another place, i use a CentOS box as a remote gateway using SSH.  I
> changed the SSH Port, use DenyHost, force SSH V2 and forbid password login
> (SSH Key login mandatory).  I even got a VBS script for our Winblows users
> that uses plink (member of the PuTTY Family) to connect, authenticate with
> keys and launch RDP Terminal to connect to the Winblows Terminal Server (all
> this automated).  The only prompt the user has is for entering his remote
> login name (the user must know it or the connection will be refused).
>
> I did an installer (with Nullsoft's NSIS) so allowed Winblows users can
> install easily all this: The installer creates icons, protect SSH keys (NTFS
> Encryption), etc... The installer is protected by a password.

How do you get the keys to the server the first time after they're
generated?  Its kind of the chicken and an egg problem without the
password authentication -- that's why I still have passwords turned on
(but require __very__ strong passwords.)