New Research

Data2050 — Wed, 13 Apr 2005 23:10:45 +0000

I have been doing some research on this and from what I have found I can use the hosts.allow file and allow the block of IP's I would get from my ISP. From what I understand once that block of IP's (3 or 4 lines of code) is in the hosts.allow file nobody could access SSH from an IP not in that block. I have also read there are different apps that will monitor SSH port 22 and will write an IP to the iptable, people which have either tried multiple logins in either a specified time frame or x amount of login failures will end up with thier IP added to the IP table and they won't be able to waste system resources.
Using this should provide dual security on SSH with autoblocking features.

Data2050

cpellizzi — Wed, 13 Apr 2005 20:35:46 +0000

mairving wrote: I wouldn't really suggest that. Most of us don't have a fixed IP address. If you set it up to allow access from your cable connection and then that address changed, you would be locked out. Since you can't physically go to the server, you would have to get your host to reset it.

A better option which is the default in BSD is to not allow root access via SSH. This way someone can hammer away at the root password all day long and even if they guessed it, still not get in. Use a username that is not easy to determine either and go su (superuser) if you need to do something as root.

Yes, that is true. I have a fixed IP, so I kind of forgot that most people don't...

Data2050 — Wed, 13 Apr 2005 16:32:31 +0000

andy206uk wrote: Have a look into something called portknocking. It makes it impossible to login without first "knocking" a special combination of ports before you login. It would probably get tedious but I've heard it really makes it tough for people to get in.

Info here: http://www.portknocking.org/

Hi andy206uk,
I looked at portnocking and found they said this:

Applicability
Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP or HTTP . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence.

So if I understand what they are saying Port knocking shouldn't be used on a webserver running public services, such as SMTP and HTTP because of the ports SMTP and HTTP use.

Thanks,
Data2050

andy206uk — Wed, 13 Apr 2005 15:02:04 +0000

Have a look into something called portknocking. It makes it impossible to login without first "knocking" a special combination of ports before you login. It would probably get tedious but I've heard it really makes it tough for people to get in.

Info here: http://www.portknocking.org/

Data2050 — Wed, 13 Apr 2005 14:11:20 +0000

thanks for the info, I agree setting a fixed IP address for admin wouldn't work.
I have found this http://www.pettingers.org/code/SSHBlack.html
I have heard using hosts.deny will help but not completly.
any comments on this?

Thanks
Data2050

mairving — Wed, 13 Apr 2005 12:35:09 +0000

cpellizzi wrote: If you are having trouble, I used webmin to set up all of my firewall stuff (webmin.org). You should just allow ssh access from one IP, that is what I would do in that situation.

I wouldn't really suggest that. Most of us don't have a fixed IP address. If you set it up to allow access from your cable connection and then that address changed, you would be locked out. Since you can't physically go to the server, you would have to get your host to reset it.

A better option which is the default in BSD is to not allow root access via SSH. This way someone can hammer away at the root password all day long and even if they guessed it, still not get in. Use a username that is not easy to determine either and go su (superuser) if you need to do something as root.

cpellizzi — Wed, 13 Apr 2005 00:10:55 +0000

If you are having trouble, I used webmin to set up all of my firewall stuff (webmin.org). You should just allow ssh access from one IP, that is what I would do in that situation.

mairving — Tue, 12 Apr 2005 21:28:29 +0000

Do be careful when setting up Firewall rules particularly on a remote computer, since you could potentially lock yourself out.

mairving — Tue, 12 Apr 2005 21:26:25 +0000

Data2050 wrote: Hello,
what I have been seeing is people trying to get access to my server through sshd. they are using multiple names and passwords and probably brute force apps.

Neither Apache or PHP can block SSH attacks, separate program, separate port. All they could do is block access to your site.

What kind of OS?

If Linux, you can use IP Tables

If FreeBSD, you can use IPFW or IPFILTERS to firewall and alternately drop any packets coming from a certain IP address or block.

Busy — Tue, 12 Apr 2005 20:54:10 +0000

Sorry not sure how to solve your problem but you do need to be careful blocking by IP, especially if you plan to block by IP range as most attacks would be coming from proxie servers. ALso what you do with the bad bots etc, if you send them round in circles or give them fake lists or a never ending file to suck on, you're using up what can be valuable resources that could be used better else where.