[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH attacks

Subject: Re: SSH attacks
From: Ken Garland <email@hidden>
Date: Tue, 29 Nov 2005 15:42:53 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)

how is configuring sshd to accept from certain ips over software firewall preferable? idealistically they are both software solutions save that iptables/ipfw/etc offer more options to deny/allow attackers. Yes, I suppose the argument for halting users at the service is a good one since the firewall filters will be allowing access to the service eventually, nothing like have a double set of protective rules in place. if going that route might as well use both.

purchasing a hardware firewall solution is the way to go ultimately and they are relatively cheap (if you want the minimum).

running snort will do nothing for you, except tell you that you have been attacked after the fact. snort-inline will stop attackers, but you will need to run that on a dedicated machine other than your ssh box. we run snort-inline and have several snort detection servers setup throughout our network. this is in conjunction with many other hardware applications.

root login is turned off by default, it would be a shame if someone intentionally turned this on. of course, admin is another story. however, using this account is not as damaging so use your discretion when logging in.

Thanks for pointing out the launchd change Jason, it completely slipped my mind when posting earlier.

- Ken

Dan Shoop wrote:

At 1:48 PM +0100 11/29/05, Bruno Schaeffer wrote:
Hi,
I am running a Mac OS X Tiger Server and I am increasingly observing attacks trying to log in via SSH and guessing user ids and passwords. The server is only accessible via SSH from the Internet and only two user ids whose passwords are well chosen can log in via SSH. Nevertheless, I would like to limit those attacks since they also consume quite some resources, esp. bandwidth. What are you practicing or suggesting? I am using the firewall which is included with Mac OS X.
Turn your computer off and place it in a vault is the best security.
Given that this is generally deemed inacceptable, you deal.
People ring doorbells and call wrong numbers all the time? What on earth are we to do? Panic? The might be calling us when we expect an important call, heck that's DoS!

Use a firewall, a real one, and protect your network. ipfw is not a firewall, it's a packet filter. There's a significant difference. Drop traffic you don't want, don't deny it.

Configure sshd to only permit certain accounts and IP addresses to use ssh inbound. This is highly preferable to doing this in ipfw. Conside running ssh on a different port, though this is a bit silly if you're already denying this using other methods.

Prohibit logins to root and other sensitive accounts like your admin account from all sources other than localhost. Connect using an unprivileged account and then su or ssh root@localhost once logged into such an account instead.
Run snort.
Realize that these feeble attempts are rather primitive.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: SSH attacks
  - From: Dan Shoop <email@hidden>
- Re: SSH attacks
  - From: Michael J Wise <email@hidden>

References:
	>SSH attacks (From: Bruno Schaeffer <email@hidden>)
	>Re: SSH attacks (From: Dan Shoop <email@hidden>)

Prev by Date: Re: Admin user corrupt
Next by Date: Re: nagios and Xserve raid
Previous by thread: Re: SSH attacks
Next by thread: Re: SSH attacks
Index(es):
- Date
- Thread

Home