I found this set of iptables rules in an article somewhere (sorry, I don't remember where)
that sure takes the wind out of the brute force types.

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds
60 --hitcount 6 --rttl --name SSH -j DROP

I put ssh on port 23 to avoid log spam. I am lazy like that. 

I use ssh keypairs with passphrase (which is actually 3DES encryption of the private key..) so
if I 'misplace' the key then I am not much worse off then if I just used plain passwords. Then
I disable the use of ssh passwords.


On my desktop (er laptop) I use as my base of operations. I realy don't use any other
computer. So it's the only one that I keep my ssh keys on. On my laptop I have zero network
services (well, other then avahi).. so it's secure. Don't even have sshd running.

For file transfer I just use sshfs.. no samba or nfs for my stuff.

So for my personal stuff brute-force is impossible and the chances of obtaining a key is slim
to none for a attacker.  Not also to mention that most of this stuff is firewalled from the
internet via a pc-based router.

for multi-user environment though, especially corporate-land stuff, then passwords are still a
way of life. Oh well.

An attacker that gets access to the private key corresponding to a public key in an
authorized_keys file on your system will have access to it *if and only if that key is
unpassphrased or they determine the passphrase*.

i.e. at worst passphrased keys are as insecure as passwords, and they're much more secure if
the remote host is not compromised itself.

(Unpassphrased keys should only be used inside a trust boundary, and even there with care:
it's best to use an SSH agent instead, and passphrase everything, but that might be tricky if
some of the keys are used by daemons, who can't reasonably ask a human to provide a passphrase
to the agent: if they provide the passphrase themselves, that passphrase becomes as tappable
as the private key, so passphrasing becomes pointless.

It would be nice if SSH had a way to refuse entry to unpassphrased keys, or if I had a way to
determine that the private key corresponding to some public key were unpassphrased, so I could
audit authorized_keys files for unpassphrased keys and remove them. Of course the ability to
do that would itself be an information leak with security consequences...)

A simple way I use is to put the following line inside sshd_config:

MaxAuthTries 1

So that an attacker can only try 2 wrong passwords.

It's sometime annoying when I myself type the wrong password 2 times and get the connection
dropped, but most times I type the password correctly, so that's not a problem at all.

One thing I rarely find mentioned in these docs, but that I personally think is handy, is the
AllowUsers field in sshd_config.  If you set it up to allow only your own account then you
don't need to worry about weaker passwords on other accounts (my kids both have accounts on my
Linux system and they can't be bothered to remember complex passwords).

I'd love to use a different port but I can't: my company has a very strict firewall that
allows only ports 22 and 80 _outgoing_ (I know, right?), so if I change my port I won't be
able to get in from work.  Same issue with port knocking and similar solutions.

The port nocking method is not security through obscurity. All authentication mechanisms are
based on some private information: a public key, a password, ... You can think of the port
nocking sequence as part of this private information.

An alternative solution to this problem is simply not having an SSH daemon available on your
public IP address.

I only permit ssh access from either my internal network or from a VPN link. (OpenVPN, since
IPsec is too horrible for words to configure). Since I only need ssh access from a limited
number of computers (two: my computer at work or my laptop), having them setup to establish a
VPN connection and run ssh through it is not a problem.

Apart from keeping SSH off the public IP, the VPN connection also allows me to access other
ressources - e.g. I can nfs mount my home directory from a remote location through the VPN
link, which does come in handy at times.

Ever looked at your log watch and seen messages that there were X number of probes on your
webserver?

I'm assuming the vast majority of these "probes" come from script kiddies running things like
nikto.  Are there any tools out there like denyhosts but for httpd's logs... to block IPs that
appear to be probing the webserver?  If so, I'd really like to get that deployed.

I've heard that fail2ban can be used with httpd but I believe it is only for finding failed
.htaccess login attempts and I'd rather detect nikto scans and block those.

Anyone?

I was getting so many brute force attempts on ssh that the server was not able to do anything
else but check passwords - thus a DOS. I started using denyhosts on all internet facing
servers and have not had that problem since. I find I really like the simplicity of denyhosts.

Something that I haven't seen mentioned in these discussions is pam_shield. It hooks into PAM,
actively knows and registers when a failed attempt to logon has happened and takes action when
something is beyond a certain treshold.

The default action it takes is to null-route the source ip address for a certain amount of
time. (configurable)

You can provide a list of networks that it should never null-route (to protect your own
systems from being blocked this way).

To me this system is perfect since:

 - it does not have to scan a log files every X time

 - it does not mess around with the firewall (or it could if you so like)

 - it works on more than just SSH (FTP or else anything in PAM)

 - it is pretty simple and straightforward to use

 - it is very customizable as the action to take can be a simple script

You can get pam_shield from:

    http://www.ka.sara.nl/home/walter/pam_shield/

How odd that this should come up this week; someone's been reading my mail.

I just found the Samhain site last week, while on a business trip, and installed their last
(hosts.allow/sshblock.sh) setup on several Linux boxen I'm responsible for.

Works quite nicely.

The article fail to cover the standard pam module pam_tally. It locks for 
some time an account being attacked and is very simple to configure. In my 
debian server I put 

in /etc/pam.d/common-account:
account required pam_tally.so

in /etc/pam.d/common-auth:
auth required pam_tally.so deny=5 unlock_time=300


That will lock an account being attacked for 300 seconds if password 
failed 5 times. It is effective for all services using pam authentication, 
like imap and authenticated smtp. Just warn users that they will have to 
expect 5 minutes if they fail to log in for 5 times.

Also, with any brute force attack counter measures, in a multi user system 
one must be sure that passwors are strong (if some user chooses as the 
password its own username, chances are that the account will be cracked in 
a single try). One cannot rely on advising people to be responsible. 
Therefore, password cracking tools like john the ripper are very useful. 
That should be covered in the article too.