Re: ssh dictionary attacks



On Fri, 18 Aug 2006 16:04:37 GMT, Chuck
<skilover_nospam@xxxxxxxxxxxxxx> wrote:

Sheldon T. Hall - DO NOT MAIL wrote:

The easiest way to secure your server's SSH port is to just firewall
it completely from the 'net, and have a portknocking arrangement that
selectively opens the SSH port to the IP address that correctly
knocked on the secret port.

Of course, you'd still want all the usual SSH security stuff, too:
restrict the access list to particular users, disallow direct root
logins, require keys, etc.

How do you get the ssh client to "knock first before entering"?

I just use telnet to do the knocking, before firing up the SSH client.

If I were setting this up for other folks, or had to do it from
different places a lot, I'd have a batch/shell program that telnets to
the knocking ports on the server, waits a bit, then starts the SSH
client.

-Shel

.



Relevant Pages

  • Re: Questions on some wierd /var/log entries
    ... would like some input on what these entries are on about (yes, ... So port knocking is out as is moving my SSH port to ... I don't know the specifics about adding firewall rules using Suse's ...
    (comp.os.linux.misc)
  • Re: SSH hacked?
    ... I have about 4 people that can use SSH with my computer and the whole ... system is set for using only gpg type passwords. ... For now the ssh port is ... I'd think of changing my password and installing fail2ban package, it' really useful to stop people that tries to break into your system by just hammering ports. ...
    (Ubuntu)
  • Re: SSH hacked?
    ... connection that was uploading to my computer with ssh. ... I have about 4 people that can use SSH with my computer and the whole ... system is set for using only gpg type passwords. ... For now the ssh port is ...
    (Ubuntu)
  • telnet to ssh (port 22)
    ... I'm trying to test a new network configuration, and exposing my ssh port ... He can telnet to my smtp port just fine, ... I think this is the right thing for ssh to do when contacted by telnet. ...
    (comp.os.linux.security)
  • TIPS FOR THE NEWCOMER
    ... Correct me if I am wrong, it appears that ssh and gnupg has similar ... Do I have to send my public key to ... the other machine (ssh client) and likewise do the same thing get a copy ... Is the passphrase function here same as in gnupg that if you have ...
    (SSH)