In one of my last posts, I mentioned I was going to write a post on securing SSH. As it turns out, I really like most of this advice, so rather than recreate it, I'm just going to comment and expand on it. Go read that article, then the rest of this will make sense.
Item #5 in that list, about running on non-standard ports, I'm not that fond of. As we saw in an earlier blog post, it is trivial to port scan and find out where stuff is running, so changing the port doesn't do much to thwart an attack from someone analyzing your servers. It *would* thwart an attack from a script kiddie, but we are going to be secure enough to block those kinds of attacks. On the other hand, changing the port means we have a small configuration nuisance to have to remember whenever we are dealing with our system, configuring other services, etc... so I see exchanging minimal-if-any gain for the equivalent of a rock in my shoe a losing proposition. I see this more as security-through-obscurity than part of defense-in-depth, do I don't do it.
Filter SSH at the firewall?
Depending on your environment that might be good advice, but I don't do it. Have you ever been on the road and had to fix something on one of your servers? Can you imagine stopping at a Starbucks, hopping on their wifi, only to realize you can't ssh into your box? I don't have to imagine it; I have been there. As mobile as I am, I just cannot anticipate the IP addresses I'll need to connect from. But thats ok, because there is a better way.
Pull Up the Drawbridge
What if your server were smart enough to detect when it is under attack and do something defensive to stop or slow it? This is a technique I'll talk more about in future articles, but I'm going to introduce now with a tool called 'denyhosts'.
With denyhosts, you can easily set up your server to:
- notice when a particular ip address has failed several login attempts
- reconfigure your server to block traffic from that IP address
- email you to let you know something is happening
And here is a real, live email I got from one of my servers this morning (I changed my machine name, but the attacker IP address and name is real):
Date: Fri, 13 Aug 2010 11:55:01 GMT From: denyhosts
To: email@example.com Subject: DenyHosts Report from machine.example.com Added the following hosts to /etc/hosts.deny: 18.104.22.168 (dsl-26-248.n-chelny.ru)
Thank you, denyhosts! One more intruder stopped before I even knew there was a problem. This is not a rarity either - Of 9 servers that I currently administer for my company and other clients, attacks are blocked multiple times a day, every day.
On my typical CentOS configuration, I can easily install denyhosts with:
sudo yum install denyhosts
and start it with:
sudo /sbin/service denyhosts start
Use chkconfig to make sure its also set to restart on a reboot. On your linux flavor you'll have to adjust that to your package manager of choice.
The config file (located at /etc/denyhosts.conf or /etc/denyhosts/denyhosts.conf, depending on your packaging) is well documented and self-explanatory... take a look and set it up to email you when it takes any defensive action.