« Nmap and Netstat: Analyzing Your Server's Public Exposure | Main | Facebook Places »

August 13, 2010

Securing SSH

In one of my last posts, I mentioned I was going to write a post on securing SSH. As it turns out, I really like most of this advice, so rather than recreate it, I'm just going to comment and expand on it. Go read that article, then the rest of this will make sense.

Non-standard ports?

Item #5 in that list, about running on non-standard ports, I'm not that fond of. As we saw in an earlier blog post, it is trivial to port scan and find out where stuff is running, so changing the port doesn't do much to thwart an attack from someone analyzing your servers. It *would* thwart an attack from a script kiddie, but we are going to be secure enough to block those kinds of attacks. On the other hand, changing the port means we have a small configuration nuisance to have to remember whenever we are dealing with our system, configuring other services, etc... so I see exchanging minimal-if-any gain for the equivalent of a rock in my shoe a losing proposition. I see this more as security-through-obscurity than part of defense-in-depth, do I don't do it.

Filter SSH at the firewall?

Depending on your environment that might be good advice, but I don't do it. Have you ever been on the road and had to fix something on one of your servers? Can you imagine stopping at a Starbucks, hopping on their wifi, only to realize you can't ssh into your box? I don't have to imagine it; I have been there. As mobile as I am, I just cannot anticipate the IP addresses I'll need to connect from. But thats ok, because there is a better way.

Pull Up the Drawbridge

What if your server were smart enough to detect when it is under attack and do something defensive to stop or slow it? This is a technique I'll talk more about in future articles, but I'm going to introduce now with a tool called 'denyhosts'.

With denyhosts, you can easily set up your server to:

  1. notice when a particular ip address has failed several login attempts
  2. reconfigure your server to block traffic from that IP address
  3. email you to let you know something is happening

And here is a real, live email I got from one of my servers this morning (I changed my machine name, but the attacker IP address and name is real):

Date: Fri, 13 Aug 2010 11:55:01 GMT
From: denyhosts 
To: root@machine.example.com
Subject: DenyHosts Report from machine.example.com
Added the following hosts to /etc/hosts.deny:
217.173.26.248 (dsl-26-248.n-chelny.ru)

Thank you, denyhosts! One more intruder stopped before I even knew there was a problem. This is not a rarity either - Of 9 servers that I currently administer for my company and other clients, attacks are blocked multiple times a day, every day.

On my typical CentOS configuration, I can easily install denyhosts with:

sudo yum install denyhosts

and start it with:

sudo /sbin/service denyhosts start

Use chkconfig to make sure its also set to restart on a reboot. On your linux flavor you'll have to adjust that to your package manager of choice.

The config file (located at /etc/denyhosts.conf or /etc/denyhosts/denyhosts.conf, depending on your packaging) is well documented and self-explanatory... take a look and set it up to email you when it takes any defensive action.

Posted by at 01:22 PM in Security |

| | |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fc2ebf9970c0134862fbe7a970c

Listed below are links to weblogs that reference Securing SSH:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Dave Aronson

In some very small and private environments, like a home network, putting ssh on a different port may also buy you some convenience when inspecting the logs. You won't be distracted by so many skr1p7 k1dd13z (and other types of worms) trying to get in. It became a lot easier for me to see what-all was going on in my security logs, after I did that.

In an environment where lots of different legit stuff owned by lots of different people (legit-ly, not 0wned) needs to ssh in, you're absolutely right tho.

Posted by: Dave Aronson | August 13, 2010 at 01:56 PM

Mike S

thanks for the denyhosts tip! Installed it and blocked someone less than an hour later. Are scans really that common?

Posted by: Mike S | August 14, 2010 at 07:54 PM

Chris E

Also don't forget to whitelist your own IP in the 'allowed-hosts' file. It's in /var/lib/denyhosts/ on Debian (probably Ubuntu too).

Posted by: Chris E | August 16, 2010 at 08:00 AM

Chris E

@Mike: Very common! Our Servers blacklist 100 IPs/day _each_.

Posted by: Chris E | August 16, 2010 at 08:02 AM

David Bock

Good advice on the allowed_hosts file Chris, just to prevent a boneheaded mistake. And yeah Mike, I get dozens of blocks a day on each of my servers. If you want to see a shocker, check out the tool 'logwatch'. I'll be blogging about that soon, but in short, It'll eail you a daily report analyzing your logs. Without denyhosts, you'll see thousands of login attempts a day to very common user names.

Posted by: David Bock | August 17, 2010 at 10:44 PM

The comments to this entry are closed.