[Novalug] ssh as root ( beating a dead horse into the ground)
Matt Ryanczak
ryanczak@gmail.com
Wed Mar 7 10:17:50 EST 2012
On 03/07/2012 09:48 AM, John Holland wrote:
>>> I haven't seen anyone mention OpenSSH's ``PermitRootLogin``
> configuration option to control when and if to allow root to login. When
> ``PermitRootLogin`` is set to ``without-password``, root may not login
> using a password;>>instead, root must provide a private SSH key to
> login. An attacker on the Internet will not possess root's private key,
> which eliminates the concern that the attacker know's root's account name.
>
> That's very interesting. I might set that up. Seems like a good
> compromise of everything that's been discussed.
I have the following in sshd_cofnig
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Only key based authentication is allowed. I do everything via sudo.
I also do the following with iptables:
# Create new chain for tracking SSH connection attempts
$IPTABLES -t filter -N SSHSCAN
# Block SSH Brute force attacks
#
$IPTABLES -A INPUT -i $INTERNETIF -p tcp --dport 22 -m state --state NEW
-j SSHSCAN
# Allow hosts / networks in $SSHWHITELIST
for HOST in $SSHWHITELIST
do
$IPTABLES -A SSHSCAN -p tcp --dport 22 -s $HOST -j ACCEPT
done
$IPTABLES -A SSHSCAN -m recent --set --name SSH
$IPTABLES -A SSHSCAN -m recent --update --seconds 300 --hitcount 3
--name SSH -j LOGDROP
This limits new connections to port 22 to 3 every 5 minutes. This
effectively blocks brute force login attempts after the third try. Helps
keep the iptables syslog spam down.
More information about the Novalug
mailing list