[CentOS] Securing SSH

Wed Mar 26 10:54:23 UTC 2008
Jacques B. <jjrboucher at gmail.com>

>  >> 3. Install some brute force protection which can automatically ban an IP
>  >> on say 5 / 10 failed login attempts
>  > The only software I know that could do this isn't supported anymore
>  > (trisentry) or is too confusing and I don't know it yet (snort).
>  > Suggestions?
>
>  denyhosts is pretty widely used.  You could probably also make use of
>  iptables.

I used it a while back and it worked well except the time I locked my
own IP out somehow (or perhaps some bot infected PC from my ISP that
had that IP previously took care of that for me, not sure as I didn't
dig deeper).

One thing I did was set up hosts.deny for ranges of IPs that I knew I
would never come from (i.e. overseas), obtaining them from IANA.  A
bit tedious, but you may deem that option to be worth your while.
Alternatively if you only ever come from a given range of IPs (your
ISP), then you could deny all in hosts.deny and then in hosts.allow
only allow your ISP's range of IPs.  But if ever on the road you'll
not be able to connect unless you happen to have your home system set
up for SSH which would then allow you to SSH to the office from it.
The idea being that a person coming from an IP outside of your ISP
wanting access to your office PC would have to know that it only
allows connection from certain IPs and then seek out a machine on that
IP - your home PC - which could be compromised to in turn launch an
attach against the office PC from it.  The inconvenience to you of
having to first go through your home PC to get to the office PC would
only apply when away from your ISP connection.  Of course if you are
on the road alot then this may not be an attractive option.

Jacques B.