GUIDE: How to help prevent SSH attacks

[RickM]

Hi all,

i thought i would share this guide with everyone. I created it to help people in securing their SSH connection. I will hopefully be adding a second part on other security methods soon.

How to help prevent SSH attacks

Enjoy!

Rick

 

[BeZazz]

Just to add to what you have there (which was good ) you should really move SSH off the main IP as well

 

[Kenny]

Great little TuT there Ricky, good advice and nice step by step.

Nice Add by ethix as well.

Both rep'd.

Cyberian

 

[RickM]

Thanks guys - and yes; its always a good idea to move SSH off the main IP, and if possible instead (or as well as) passwords, use IP detection (i.e only let your IP login).

I plan on doing a second part which will focus more on server security as a whole rather than just SSH.

Rick

 

[argh2xxx]

Your way is good, but I also do it this way. To effectively secure your ssh even further, you need to do:

vi /etc/ssh/sshd_config

1) change the #Protocol 2,1 to Protocol 2 (remember to remove the remark since it's a comment)
2) change the PermitRootLogin yes to PermitRootLogin no
3) change the PermitEmptyPasswords no to PermitEmptyPasswords no
4) change Banner /some/path to Banner /etc/issue

 

[RedNecker]

Thanks cool guide

 

[Joe]

nice
rep added

Joe

 

[Echelon17]

Hmm, nice tutorial, but no mention of firewalling the SSH port (iptables) or even using the hosts.deny and hosts.allow files to deny/allow access to individual IP's.

Perhaps extend it to cover those too?

 

[RickM]

I plan on adding a second part which will cover firewalls :tu: as well as other methods of securing your server.

Rick

 

[-GWS-]

Hello,

I have done most of these things but I am curious as to know if it is working. I took a new server and installed BFD and changed the SSH port (plus other things) but I dont know if it is working. On all my other servers I get about 3-5 emails each a day from BFD saying it is working. But I have gotten no emails from the new one that has SSH on a different port. Can I check to see if it is working just by using the wrong password to log in on the new port? I dont know if I am not getting email because something is not set up right with it or if moving it to a different port has that much of an effect.

 

[Echelon17]

Hello,

I have done most of these things but I am curious as to know if it is working. I took a new server and installed BFD and changed the SSH port (plus other things) but I dont know if it is working. On all my other servers I get about 3-5 emails each a day from BFD saying it is working. But I have gotten no emails from the new one that has SSH on a different port. Can I check to see if it is working just by using the wrong password to log in on the new port? I dont know if I am not getting email because something is not set up right with it or if moving it to a different port has that much of an effect.

You aren't getting any warnings to let you know BFD is working, BECAUSE you've changed the SSH port.

Most automated scanners out there looking to crack SSH are going to check on the default port (22), and obviously won't check the others as it's a waste of time. Because you changed port, these scanners aren't hitting your SSH and as a result you're not getting the warnings.

Yes, you can try logging in manually with an incorrect password and this should flag up a warning.

 

[RickM]

Yep,

as Echelon17 stated. Once you've moved the port you are likely to get very few if any access attempts on the new port as its all done through use of automated bots that spend hours trying to crack the password.

 

[bbalegere]

Rep added.
Bookmarked the link in del.icio.us

Why don't you submit it in digg?

 

[RickM]

Never really thought about that :p

Will do it now though...thanks for the suggestion :tu:

 

[YesBrilliant]

Nice step-by-step tutorial.

Thanks for sharing.

Rpd!

 

[AzN]

Repped however on Debian Sarge it was /etc/init.d/ssh restart :hehe:
Great job!

 

[NewYorkBum]

if you really paranoid about your ssh, then move to key based authentication on the top of moving ssh to another port AND ip

 

[RickM]

Its not a case of being paranoid....its a case of common sense

key based authentication isn't something that most people require....its a good way to secure it....but not a must have.

 

[rahxephon85]

Great Guide!

 

[RickM]

Thanks

 

[eth01]

If you ever find yourself in the situation of being attacked by a certain person, you can always trace back the IP'S and Subnets.

Then using IPTABLES block it. I have found that most effective.

 

[RickM]

Just a note, the article has moved to HERE...I've updated the link above too...the old link will still redirect to the new one for the time being.