ssh hardening

S

sander815

Verified User
Joined
Jul 29, 2003
Messages
474
i want to secure my ssh a little more, besides the standard things: norootlogin, use other port, bfd, allow only my ips to use ssh.

Now i would like to add something like, allow only 2 logins to ssh per minute or so, and use a rsa key. Does anyone hav a howto to this?
 
sander815 said:
i want to secure my ssh a little more, besides the standard things: norootlogin, use other port, bfd, allow only my ips to use ssh.

Now i would like to add something like, allow only 2 logins to ssh per minute or so, and use a rsa key. Does anyone hav a howto to this?
Click to expand...

If you only allow single ip's to use ssh, why would you limit the amount of logins per time ?
 
well, its more that i want to know how to do that, so i can choose from both methods
 
MaxStartups 5:50:20 in sshd_config.

That example allows 5 attempts then after that it will drop 50% of connection attempts slowly rising to 100% when 20 attempts are made.

this may also be useful.

MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.
 
i now have trhis in my sshd_config:
Code: 
MaxStartups 5:50:20
MaxAuthTries 6

but still i get daily, sometimes hourly these mails:
Code: 
The remote system 218.14.146.50 was found to have exceeded acceptable login failures on server01.x.nl; there was 1731 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 218.14.146.50 {bfd.sshd}

The following are event logs from 218.14.146.50 on service sshd (all time stamps are GMT +0200):

Oct  4 10:22:53 server01 sshd[18939]: Failed password for root from 218.14.146.50 port 52293 ssh2
Oct  4 10:22:57 server01 sshd[18941]: Invalid user fluffy from 218.14.146.50
Oct  4 10:22:57 server01 sshd[18941]: Failed password for invalid user fluffy from 218.14.146.50 port 52483 ssh2
Oct  4 10:23:02 server01 sshd[18944]: Failed password for admin from 218.14.146.50 port 52598 ssh2
Oct  4 10:23:10 server01 sshd[18949]: Invalid user test from 218.14.146.50
Oct  4 10:23:10 server01 sshd[18949]: Failed password for invalid user test from 218.14.146.50 port 52677 ssh2
Oct  4 10:23:14 server01 sshd[18951]: Invalid user guest from 218.14.146.50
Oct  4 10:23:14 server01 sshd[18951]: Failed password for invalid user guest from 218.14.146.50 port 52860 ssh2

is that because they use other ports then 22?
 
unless you either change port or add more changes to combat the issue you will still get bruteforce log entries, all you did was just apply rate limiting making it harder for them to succeed. To kill it off without changing port the best way is to change to passwordless authentication or apply an auto banning mechanism that grep's the log files.
 
You must log in or register to reply here.
Back
Top