Insecure By Default

By Emmett on Wednesday, August 22 2007, 19:47 - Permalink

I never really paid much attention to the administration of SSH on my boxes. I figured debian probably set it up to be essentially secure by default.

While the algorithm is perfectly secure, there's a big problem. I was poking around my system logs after reading an article about someone else's box being compromised, and discovered multiple ip addresses trying to root passwords. Now, we have root login disabled on our boxes. But the fact that someone could just sit there guessing disturbed me greatly. What if someone actually wanted to break into our boxes? It's not like our usernames are highly obfuscated.

Turns out there's an easy solution:

$ sudo apt-get install denyhosts

Denyhosts blocks (temporarily) anyone who makes a sufficient number of failed login attempts. Why this behavior is not default, I am very unclear. Just whitelist your own ip to make sure you don't lock yourself out:

$ nano WORK_DIR/allowed-hosts

(look up the WORK_DIR in denyhosts.conf)

When I installed denyhosts it instantly locked out 4 people who were *currently* trying to crack our network. If you haven't considered installing it yourself, perhaps you should.

Comments

1. On Thursday, August 23 2007, 04:22 by abarrera

A more efficient way is by means of iptables and the ipt_recent module (see: http://kevin.vanzonneveld.net/techb... or http://www.ducea.com/2006/06/28/usi...).

In my experience, another layer you can add is to change the sshd to a non-default port. That way you'll screen all the automated bruteforcing attacks. But rememeber, if you do so, now you'll connect with: ssh myserver -p myneyport

2. On Thursday, August 23 2007, 10:56 by itsme

Can't you just change the SSH config to disallow "root" user logins altogether?

Is this methond inherently insecure, or, less secure than 'denyhosts'?

3. On Thursday, August 23 2007, 14:47 by emmett

I have disallowed root logins. They also attempt to brute force a wide variety of other usernames, some of which actually exist. And these are just random attacks - what if someone actually decided they wanted to break into your server? They'd actually target whatever username you actually use.

4. On Thursday, August 23 2007, 14:49 by emmett

Nice abarrera - I didn't know about the iptables approach, that's another good option.

I'm not super concerned about the automated attacks - none of the accounts they are using actually have passworded login enabled.

Optimize Prime

Insecure By Default

Comments

Add a comment

Subscribe