[CentOS] Securing SSH

Tue Mar 25 17:24:14 UTC 2008
Ray Van Dolson <rayvd at bludgeon.org>

>> 1. Change the default port
> I could do that, but if they already know about it, a simple port scan and 
> they'll probably find it again.  Plus I gotta go tell all my client 
> programs the new port and I don't know how to do that on most of them (what 
> a hassle).

If you're talking about people who are just scanning your machine and
then doing brute force on the port, changing the port likely will solve
that since these are just automated robots.  A human might actually do
a portscan, but just a port change will probably stop your security
logs from going crazy.

Of course the hassle part may be a show-stopper here. :)

>> 2. use only SSH protocol 2
> got it.
>> 3. Install some brute force protection which can automatically ban an IP 
>> on say 5 / 10 failed login attempts
> The only software I know that could do this isn't supported anymore 
> (trisentry) or is too confusing and I don't know it yet (snort).  
> Suggestions?

denyhosts is pretty widely used.  You could probably also make use of
iptables.

>> 4. ONLY allow SSH access from your IP, if it's static. Or signup for a 
>> DynDNS account, and then only allow SSH access from your DynDNS domain
>>
> Yeah my home account is on dynamic IP.  I'd love to setup the firewall to 
> only allow my home computer.  You're talking about these guys?  
> http://www.dyndns.com/  never used them before, but it looks like a good 
> idea.  Especially since it's free (for 5 hosts) if I read correctly.

Ray