[CentOS] SSH attacks from china
John
jknappers-argentia at hotmail.com
Fri Jul 24 10:31:14 UTC 2009
Am Donnerstag, den 23.07.2009, 19:45 +0100 schrieb Miguel Medalha:
> I moved the ssh port from the standard 22 to a high port. The attempts
> to break into my servers disappeared. The logs are clean now. I would
> advise you to do the same. Choose a high (> 1024) unused port and
> configure the clients accordingly.
>
*cough*
A port > 1024 for SSH? Actually that means that if your sshd dies every
normal user can start to listen on that port with watever they want.
Of course, there is still the host key. However, AFAICT most normal
users just ignore host key changes...
Regards,
Andreas
Hi,
Using a non default port is not the solution, because history has learned
that security by obscurity never worked.....
for using a high port I agree with Andreas.
We came to the conclusion that for US there are 2 ways to keep SSH access
"relative" safe:
1: Use Iptables or other firewall in front of server, to only allow a
selected group of "trusted" Ip's to access the server trough SSH.
2: Enforce Public / Private key Authentication, so that only the users with
a valid key can access the server.
And:
3: Deny remote root access, limit who can do su - root
For some people, maybe portnocking is an option. But I don't know how easy /
difficult that is to circumvent.
If you use SSH only for server managemt, and doing that only from a limited
amount of pubic IP addresses, option 1 is the most easy way to go. But if
you're are an ISP, allowing SSH of SFP access to the host then, option 1
impossible to use, and option 2 is probably to diffucult for your
clients......
My conclusion was at the time I made the assesment:
If possible, limit Server management to a limited set off public Ip
adresses, for sentive systems enforce Public privat key authentication
If above is not possible, Enforce Public / Private Key authentication.
Do not allow remote root access.
regards,
John
More information about the CentOS
mailing list