Re: a GOOD idea to harden OpenSSH!



--- On Wed, 3/30/11, nagygabor88 <nagygabor88@xxxxxxxx> wrote:

From: nagygabor88 <nagygabor88@xxxxxxxx>
Subject: a GOOD idea to harden OpenSSH!
To: "OpenSSH list" <secureshell@xxxxxxxxxxxxxxxxx>
Date: Wednesday, March 30, 2011, 12:19 PM


if a user wants to connect to an ssh server then he have to
wait a couple of seconds, then he can write his passphare.
the "couple of seconds" is defined in the sshd config,
e.g.: 2 seconds
the method musn't show that the user have to wait 2 seconds
to write his passphare.


This can already be similarly done using iptables, with entries such as:
$IPTABLES -N SSH_CHECK
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPTABLES -A SSH_CHECK -m recent --set --name SSH
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

What this does: If I get more than 5 hits within 180 seconds, block them for 180 seconds.



Relevant Pages

  • RE: Reflexive firewalls?
    ... And yep, it is feasible with iptables, but you will need a small script to open the ssh port after the telnet knock ... ... Don't have any idea with iptables. ... I've recently used an SSH server that had an interesting ...
    (Security-Basics)
  • Re: NOUSER
    ... I have to apply for a "Security Override" if I ... If you can't use iptables because your company is weird you can always ... Every ssh server I have sees a continual stream of dictionary cracking ... attempts all from the timings apparently robots. ...
    (Fedora)