Weekly Edition
Return to the Press page
| |||||||||||
|
| |||||||||||
sshguard: Protection for OpenSSH (Linux.com)
Linux.com reviews
sshguard. "Are you concerned about brute force dictionary attacks on
SSH? Given the popularity of these attacks, you should be. sshguard is a
new tool to help protect against such attacks. Although it is still in beta
stage, it appears to work well."
(Log in to post comments)
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 6, 2007 21:48 UTC (Tue) by HappyCamp (subscriber, #29230) [Link] I just started using Fail2Ban (http://www.fail2ban.org/) Seems to work well and is fairly simple to install.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 6, 2007 22:15 UTC (Tue) by drag (subscriber, #31333) [Link] I like public private keypairs in addition to a passphrase.
If I wanted a secure ssh installation I'd just remove all ability to login with a password.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 6, 2007 22:25 UTC (Tue) by nix (subscriber, #2304) [Link] There are people who still *allow* PasswordAuthentication over the openinternet?
Dictionary attacks aside, passwords are so... *short*, and anyway, they're
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 1:51 UTC (Wed) by yarikoptic (subscriber, #36795) [Link] I found simple knocking (even 1 port knocking, which gets closed by "knocking" on near-by ports) very useful and easy to setup natively by iptables (see http://www.shorewall.net/PortKnocking.html) - it pretty much eliminated my need in fail2ban for ssh blocking (I still use it with following filters: apache-attacks, apache-noscript, apache-attacks-gb, apache-badbots, ssh, sasl, apache, courierauth, exim4-abuse, some of which are custom crafted and some are 'stock')
portknocking Posted Mar 8, 2007 23:45 UTC (Thu) by ldo (subscriber, #40946) [Link] I found simple knocking (even 1 port knocking, which gets closed by "knocking" on near-by ports) very useful and easy to setup natively by iptables... If SSH is like an iron door, then port knocking is like putting an extra layer of cardboard on top of it to try to make it stronger. As a security measure, port knocking is laughable. It's a pushover for something as elementary as a replay attack. As for those SSH password guessers, they're never going to get in if you have good passwords. You can enforce this on your users through appropriate system configuration. And of course you can run your own password-cracking tools, like John the Ripper, just to make sure.
portknocking Posted Mar 9, 2007 1:12 UTC (Fri) by yarikoptic (subscriber, #36795) [Link] well, taking cardboard analogy further, it is a cardboard which hides where the lock is.
Thus it might help preventing
So it is good what it is worth for: now my daily logwatch is clean and any entry which would report malicious attempt to login would trigger my interest to that event (as opposed to going through lengthy lists of failed attempts from dictionary attacks).
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 5:39 UTC (Wed) by k8to (subscriber, #15413) [Link] If you want to be able to log into your system from anywhere, then passwords are pretty much necessary for ssh. You can try to cart around your key on a pen drive or whatever, but there will be plenty of situations where you can't access it.
The problems this exposes you to are sometimes large enough to simply live without this ability, but sometimes the reverse is true.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 6, 2007 22:17 UTC (Tue) by yarikoptic (subscriber, #36795) [Link] and fail2ban can- use other baning actions (instead of iptables) such as via hosts.deny or direct call to a firewall (such as shorewall) - be (and is) configured to track other services such as http/ftp servers, etc - provide notifications via email (or any other means since you can easily customize that with additional "action") - has a logwatch filter (so you get nicely daily summary of the Events ;-))
and fail2ban is
just my 0.1 cents
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 0:23 UTC (Wed) by pheldens (guest, #19366) [Link] Thanks for the tip folks, trying it out.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 5:09 UTC (Wed) by jachim (subscriber, #2963) [Link] Thanks for mentioning fail2bain! I've been looking for something like this. For various reasons, I have to maintain a non-anonymous FTP site, and I'm getting thousands of repeated login attempts with the username administrator (Windows script-kiddies!) It took me about an hour and a half to get it set up, and half of that was redirecting syslog from the FTP server to the firewall where fail2ban can do its work.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 0:49 UTC (Wed) by Erich_J_Ritzmann (guest, #39670) [Link] I do my graduate studies at a mid-sized school which has us logging into Novell in the clear,across the public 'net using a web form... they don't support https even if you know enough to alter the URL. They won't listen to people like us because we won't do Windows (corollary: real smart computer guys know windoze inside out, right?!). Picture it, someone will someday tell them that ssh with a password isn't considered secure any more, at which point they will address the problem by turning to a well-known company from Redmond who doesn't include ssh (therefore, it is more secure!). This world is full of strange ironies and paradoxes even while we fret over passphrases and our ssh.
On a more practical note, in the past I've relied on iptables to restrict the IPs accessing my
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 7:01 UTC (Wed) by khim (subscriber, #9252) [Link] s/looking for a project/looking for a new distro/ Most GUI tools in Fedora are done in this vein: they will happily erase all local modifications and re-create "correct" config. Usually the main file includes the .custom file (or something like that) and THAT is where you should put all hand-made customizations...
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 9:05 UTC (Wed) by shalem (subscriber, #4062) [Link] That is simply not true, you must be confusing Fedora with Suse's YAST, unlike YAST which will blow away any changes not made by YASt most of Fedora's tools bend them selves over backward to read in, display for editing where known and write back settings.
I must admit that system-config-security does overwrite iptables settings, we (Fedora) really need to add something to this to detect manual changes to the iptables settings and yell about them.
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 9:13 UTC (Wed) by niner (subscriber, #26151) [Link] Please don't repeat this FUD about YaST any more. Yes it was true many years ago, but nowadays you can happily modify any configuration file manually while still using YaST and you won't lose any changes.
reading of logfiles is a problematic interface Posted Mar 7, 2007 5:47 UTC (Wed) by k8to (subscriber, #15413) [Link] Reading logfiles to find authentication failures is somewhat problematic. Logfiles may have different formats, so it's necessary to customize the parser. It's not easy to create a parser that will correctly parse a logfile when the 'attacker' can create arbitrary substrings. Only logging ip addresses are trustworthy, logged resolved hostnames create an attack opportunity where the revese and forward resolution cycle changes the adddress.
In short, all tools of this ilk would be improved if they could acquire unambiguously the parameters of failed logins. What host at what time tried to log in with what public credentials (obviously the password shouldn't be passed). Has anyone looked into that?
reading of logfiles is a problematic interface Posted Mar 7, 2007 9:31 UTC (Wed) by pcampe (subscriber, #28223) [Link] >Reading logfiles to find authentication failures is somewhat problematic.>Logfiles may have different formats, so it's necessary to customize the >parser.
Good point, you might be interested in this PAM module:
http://www.hexten.net/pam_abl/
(I have not yet tested it)
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 13:49 UTC (Wed) by ahoogerhuis (subscriber, #4041) [Link] It would be tempting to call /. on this and refer to this article a while back: http://lwn.net/Articles/222201/
It had a few good comments on ssh dictionary attacks, and also asks the question, why deal with complex software when it can be dealt with very easily in iptables, shown in comments such as these:
http://lwn.net/Articles/222243/ (yours truly also had a comment there)
And for those wanting it simple, using ferm:
# allow SSH connections and tarpit them
ferm is a very nice way of writing iptables rules:
http://max.kellermann.name/projects/ferm/
-A :)
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 20:22 UTC (Wed) by konstantin (subscriber, #37126) [Link] on redhat/fedora systems, add lines below to /etc/sysconfig/iptables, at the beginning of lines that start with '-A RH-Firewall-1-INPUT'
### if you have 4 unsuccessful logins in one minute, your IP will be banned
This can be extended for other protocol as well. For SSH the above throttles login rate to 12 attempts per minute. (3 attempts per new session, 4 sessions per min)
No need to any additional scripts, software, etc. Works like a charm for all ssh dictionary attack scripts
-Konstantin
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 8, 2007 0:38 UTC (Thu) by NapalmLlama (guest, #26327) [Link] I was going to post something similar. I have the luxury of being the only person who should be SSHing into my box. I just put a simple limit match on new connections to port 22 - 1/min, burst 3.
I'm guessing this sshguard app is for sysadmins unlucky enough to have to deal with gaggles of lusers on their boxen ;)
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 8, 2007 4:44 UTC (Thu) by konstantin (subscriber, #37126) [Link] my script is for sysadmins -- it limits amount of connections per IP (read per user)
it would not work only when you have bunch of people who need SSH login behind the same NAT gateway, so connections would appear to be from the same IP
|
|||||||||||