Oddball SSH port

Bill Campbell linux-sxs at celestial.com
Sat Nov 17 14:18:10 PST 2007 

On Sun, Nov 18, 2007, James McDonald wrote:
>>
>>
>>But if you have any other measures to protect ssh I would certainly 
>>like to hear.
>
>I have used firewall rules to say only accept ssh connections from a 
>list of hosts e.g. (home to work, work to home, mums to home, brothers 
>to home etc). However if you have many hosts and you want to 
>interconnect from all of them that becomes unmanageable.
>
>IPTables has the connect rate limiting stuff which is great. You say I 
>want no more than X connects from a host on port 22 or it will be 
>automagically banned for Y minutes. The dictionary cracks only get X 
>attempts and then get locked out. Even with fumble fingers a kosher (or 
>halal) user will log in correctly in 2-3 attempts and never gets locked out.

The fail2ban program deals with this as well as things like attempts to
crack through apache by parsing the appropriate logs, and creating iptables
rules banning troublesome connections on the fly.  One could do similar
things with swatch, writing your own rules as well.

Our primary ssh defenses are (a) only permit authorized_keys
authentication, and (b) use a hacked version of libwrap that supports
DNSRBLs with our own whitelist and blacklist.  Attempts to connect that are
rejected send e-mail messages to our security alias for review and possible
additions to our DNSRBL blacklist.

In the very few occassions where we have to permit password authentication
to ssh, sftp, etc., we put very tight restrictions in our /etc/hosts.allow
file to allow connections from a very limited set of IP addresses.

Recently we have been using openvpn to connect from roaming machines, each
with their own set of SSL certificates.  This makes it easy to connect to
the internal 192.168.x.x private networks, even from behind NAT firewalls.
This can eliminate the need for public ssh connections entirely as they can
be made via the openvpn connection (we use ssh internally, largely because
it makes running X11 clients much easier than having to deal with DISPLAY
and xhosts).

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Whenever you find yourself on the side of the majority it is time to
pause and reflect.  -- Mark Twain

More information about the Linux-users mailing list