[Novalug] ssh as root ( beating a dead horse into the ground)

Matt Ryanczak ryanczak@gmail.com
Wed Mar 7 10:17:50 EST 2012


On 03/07/2012 09:48 AM, John Holland wrote:
>>> I haven't seen anyone mention OpenSSH's ``PermitRootLogin``
> configuration option to control when and if to allow root to login. When
> ``PermitRootLogin`` is set to ``without-password``, root may not login
> using a password;>>instead, root must provide a private SSH key to
> login. An attacker on the Internet will not possess root's private key,
> which eliminates the concern that the attacker know's root's account name.
>
> That's very interesting. I might set that up. Seems like a good
> compromise of everything that's been discussed.

I have the following in sshd_cofnig

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Only key based authentication is allowed. I do everything via sudo.

I also do the following with iptables:

# Create new chain for tracking SSH connection attempts
$IPTABLES -t filter -N SSHSCAN
# Block SSH Brute force attacks
#
$IPTABLES -A INPUT -i $INTERNETIF -p tcp --dport 22 -m state --state NEW 
-j SSHSCAN
# Allow hosts / networks in $SSHWHITELIST
for HOST in $SSHWHITELIST
do
          $IPTABLES -A SSHSCAN -p tcp --dport 22 -s $HOST -j ACCEPT
done
$IPTABLES -A SSHSCAN -m recent --set --name SSH
$IPTABLES -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 
--name SSH -j LOGDROP

This limits new connections to port 22 to 3 every 5 minutes. This 
effectively blocks brute force login attempts after the third try. Helps 
keep the iptables syslog spam down.



More information about the Novalug mailing list