Obsolete Releases > SME Server 7.x

Logwatch - sshd Authentication Failures

<< < (2/3) > >>

bloodshoteye:
stuntshell

--- Quote ---Right, my suggestion is only not to receive these authentication failures (see topic), since these zombies attack the port 22.
--- End quote ---
One has to enter the redefined port address each time with this approach - not too much of a hassel.

I once used this snippet (obtained here http://wiki.clug.org.za/wiki/Defending_Against_Brute_Force_SSH_Attacks) to good effect on an Kubuntu gateway - I wonder if it can be incorporated into SME via a custom template?

--- Quote ---iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m recent --set -j ACCEPT


--- Quote ---Pros:

    * If you do this properly, it won't affect you.

Cons:

    * They can still get in one attempt.
          o In my experience this isn't true, because they normally port-scan you first. The port-scan will get them blocked before they have a single login attempt.
    * When they get cleverer, they might add longer delays (unlikely).
    * You are limited to one connection a minute too.
          o This can be mitigated by adding a knock-style random high port number that when syn'ed removes your IP from the temporary black-hole.
          o Or putting in a rule that bypasses any IPs coming from your ISP (or country).
    * This does not work without a patch. ipt_recent doesn't handle jiffie overflow correctly, so it will block all incoming requests for the first five minutes after boot and after jiffie overflows. See https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=415 for more information and a patch.
--- End quote ---

--- End quote ---


Minor edit: Just had to come back with a smile as this is my 100th post  :)
 

Franco:
...and so am I  :-P 800th

bloodshoteye:
Just had to pass 100...

I've enabled Public/Private keys on various machines and tested that thoroughly.
Then disabled "Allow secure shell access using standard passwords", held my breath and tried a ssh connection, which worked - of course  :grin:

Would anyone like respond to my post re custom-template for iptables (above)?

Franco:
I wouldn't use it, you'll see yourself getting locked out of your system if not done correctly.
I personally don't change the settings for the SSH access, only on the inside network, if I need outside access I use VPN or the ajaxterm contrib http://wiki.contribs.org/Ajaxterm

pfloor:

--- Quote from: ardugh on April 04, 2008, 05:25:08 PM ---Just had to pass 100...

I've enabled Public/Private keys on various machines and tested that thoroughly.
Then disabled "Allow secure shell access using standard passwords", held my breath and tried a ssh connection, which worked - of course  :grin:

--- End quote ---
That will make you server more secure but you will still want to change the port (if you haven't already) or the auth failures in the logs will persist regardless of your authentication method.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version