Tuesday, December 22, 2009

'outside' SSH access: prevent password guessing

iMark writes:
This post is about security, a very touchy subject when it comes to computer networks.
The best computer security level you can accomplish is unplugging it from the network. However if you want to actually use your computer, balancing functionality against risk is the way to go.

The Risk
In my case, I want outside SSH access to my server with minimal risk. What is that risk? Password guessing by script kiddies. Many young hax0rs run a few scripts every night that randomly try thousands of different passwords on machines that are accessible over SSH.

The moment your machine is reachable on port 22, these scripts find you and your logs fill up with lines like these:

Dec 22 04:25:54 asterix sshd[19886]: reverse mapping checking getaddrinfo for 59.163.108.38.static-chennai.vsnl.net.in [59.163.108.38] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 22 04:25:54 asterix sshd[19886]: Failed password for root from 59.163.108.38 port 52523 ssh2
Dec 22 04:31:18 asterix sshd[19892]: Failed password for root from 120.105.81.155 port 55401 ssh2
Dec 22 04:31:58 asterix sshd[19918]: Invalid user oracle from 120.105.81.155
Dec 22 04:31:58 asterix sshd[19918]: Failed password for invalid user oracle from 120.105.81.155 port 58104 ssh2

If you have a strong root password, you are probably reasonably secure, however in time someone might get in. That is your risk, right there.

The Solution
So how do you stop it? Since you are running Linux, very easily, if you enter the following two iptables commands as root:

# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP

(You might need to change the 'eth0' part into your external interface, likely eth1 or ppp0 or similar. )
What does this do? Whenever someone connects to your machines more than 3 times in two minutes, they are blocked for two minutes. This will effectively stop all password guessing scripts; they usually cannot handle this and crash or hang.


Minimize your risks!

7 comments:

joepadmiraal said...

Great post.
More ssh security tips are explained here:
http://www.linux.com/archive/articles/61061

Anonymous said...

I modified it like this to allow unrestricted internal access:

iptables -A INPUT -i eth0 ! -s 192.168.0.0/24 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -i eth0 ! -s 192.168.0.0/24 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP

DG

Anonymous said...

What about just changing the port it's listening on from the default of 22 to something >1024?

online pharmacy reviews said...

THis is gonna help me to protect my computer from hackers and another kind of persons who have tried to get some information I have into it.

Kavita Sharma said...

Your visit to Noida can turn out to be an unforgettable one by hanging time with one of the cheap rates escorts in Noida. As perhaps the most notable cheap rate Noida Escorts agency, we simply furnish you with the best modest rate escorts service at an affordable cost to our clients. Read More

Riya Rai said...

You can keep a drawn-out relationship just as hire Dwarka Escorts for a moment of time also to create joy in your lives. Our Dwarka Escorts are very much kept up and consistently the agencies rules.
Dwarka Escorts

Unknown said...

Promote Abhi is the top-rated SEO services company in Hyderabad or SEO consultant Hyderabad. As a top digital marketing agency, We offer the best SEO services in Hyderabad
Now, you can buy indoor plants online near dwarka, new delhi with Ferns N Petals. Choose from our wide range of indoor plants on our website and send them across on various!
Fix SilverSingles Login Problem ... decreases the genuineness of a user profile so it's terribly necessary to spot and solve the issue.
For example, an Interior Designers and Decorators in Gorakhpur, Uttar Pradesh: may recommend changing the layout of the furniture. In other words, decorators are hands-off in the design process!
chasecard asks you to verifycard delivery whenever you get a new credit card in the mail. This is the same thing as activating a Chase credit card.