GUIDE: How to help prevent SSH attacks

RickM · 10-20-2006, 07:26 AM

Hi all,

i thought i would share this guide with everyone. I created it to help people in securing their SSH connection. I will hopefully be adding a second part on other security methods soon.

How to help prevent SSH attacks

Enjoy!

Rick

BeZazz · 10-20-2006, 09:14 AM

Just to add to what you have there (which was good

) you should really move SSH off the main IP as well

Cyberian · 10-20-2006, 12:18 PM

Great little TuT there Ricky, good advice and nice step by step.

Nice Add by ethix as well.

Both rep'd.

Cyberian

RickM · 10-27-2006, 01:48 PM

Thanks guys - and yes; its always a good idea to move SSH off the main IP, and if possible instead (or as well as) passwords, use IP detection (i.e only let your IP login).

I plan on doing a second part which will focus more on server security as a whole rather than just SSH.

Rick

argh2xxx · 10-28-2006, 05:58 AM

Your way is good, but I also do it this way. To effectively secure your ssh even further, you need to do:

vi /etc/ssh/sshd_config

1) change the #Protocol 2,1 to Protocol 2 (remember to remove the remark since it's a comment)
2) change the PermitRootLogin yes to PermitRootLogin no
3) change the PermitEmptyPasswords no to PermitEmptyPasswords no
4) change Banner /some/path to Banner /etc/issue

RedNecker · 10-28-2006, 10:02 AM

Thanks cool guide

Joe · 10-29-2006, 06:59 AM

nice
rep added

Joe

Echelon17 · 11-07-2006, 07:33 PM

Hmm, nice tutorial, but no mention of firewalling the SSH port (iptables) or even using the hosts.deny and hosts.allow files to deny/allow access to individual IP's.

Perhaps extend it to cover those too?

RickM · 11-07-2006, 11:45 PM

I plan on adding a second part which will cover firewalls

as well as other methods of securing your server.

Rick

-GWS- · 11-20-2006, 04:10 PM

Hello,

I have done most of these things but I am curious as to know if it is working. I took a new server and installed BFD and changed the SSH port (plus other things) but I dont know if it is working. On all my other servers I get about 3-5 emails each a day from BFD saying it is working. But I have gotten no emails from the new one that has SSH on a different port. Can I check to see if it is working just by using the wrong password to log in on the new port? I dont know if I am not getting email because something is not set up right with it or if moving it to a different port has that much of an effect.

Echelon17 · 11-20-2006, 04:32 PM

Originally Posted by gemcotechnologies

Hello,
????: NamePros.com http://www.namepros.com/webmaster-tutorials/249129-guide-how-help-prevent-ssh-attacks.html

I have done most of these things but I am curious as to know if it is working. I took a new server and installed BFD and changed the SSH port (plus other things) but I dont know if it is working. On all my other servers I get about 3-5 emails each a day from BFD saying it is working. But I have gotten no emails from the new one that has SSH on a different port. Can I check to see if it is working just by using the wrong password to log in on the new port? I dont know if I am not getting email because something is not set up right with it or if moving it to a different port has that much of an effect.

You aren't getting any warnings to let you know BFD is working, BECAUSE you've changed the SSH port.

Most automated scanners out there looking to crack SSH are going to check on the default port (22), and obviously won't check the others as it's a waste of time. Because you changed port, these scanners aren't hitting your SSH and as a result you're not getting the warnings.

Yes, you can try logging in manually with an incorrect password and this should flag up a warning.

RickM · 11-20-2006, 11:40 PM

Yep,

as Echelon17 stated. Once you've moved the port you are likely to get very few if any access attempts on the new port as its all done through use of automated bots that spend hours trying to crack the password.

bbalegere · 11-21-2006, 01:37 AM

Rep added.
Bookmarked the link in del.icio.us

Why don't you submit it in digg?

RickM · 11-21-2006, 07:20 AM

Never really thought about that

Will do it now though...thanks for the suggestion

YesBrilliant · 02-17-2007, 04:07 PM

Nice step-by-step tutorial.

Thanks for sharing.

Rpd!

AzN · 02-19-2007, 07:56 PM

Repped however on Debian Sarge it was /etc/init.d/ssh restart

Great job!

NewYorkBum · 03-13-2007, 09:18 PM

if you really paranoid about your ssh, then move to key based authentication on the top of moving ssh to another port AND ip

RickM · 03-14-2007, 03:29 PM

Its not a case of being paranoid....its a case of common sense

key based authentication isn't something that most people require....its a good way to secure it....but not a must have.

rahxephon85 · 03-17-2007, 06:05 AM

Great Guide!

RickM · 03-17-2007, 01:56 PM

Thanks

eth01 · 04-02-2007, 07:58 AM

If you ever find yourself in the situation of being attacked by a certain person, you can always trace back the IP'S and Subnets.

Then using IPTABLES block it. I have found that most effective.

RickM · 05-10-2007, 01:15 AM

Just a note, the article has moved to HERE...I've updated the link above too...the old link will still redirect to the new one for the time being.

10-20-2006, 07:26 AM	THREAD STARTER #1 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	GUIDE: How to help prevent SSH attacks Hi all, i thought i would share this guide with everyone. I created it to help people in securing their SSH connection. I will hopefully be adding a second part on other security methods soon. How to help prevent SSH attacks Enjoy! Rick __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS' Last edited by rmwebs; 05-10-2007 at 01:15 AM.

10-20-2006, 09:14 AM	#2 (permalink)
BeZazz Senior Member Join Date: Aug 2006 Location: Australia Posts: 1,362 Follow @bezazz	Just to add to what you have there (which was good ) you should really move SSH off the main IP as well __________________ Dolphins OMFG! BeZazz [US/UK] Low Cost Friendly Hosting 33% Discount Coupon 33-NPS

10-20-2006, 12:18 PM	#3 (permalink)
Cyberian Senior Member Join Date: Apr 2004 Location: Emerald Triangle Posts: 4,592	Great little TuT there Ricky, good advice and nice step by step. Nice Add by ethix as well. Both rep'd. Cyberian __________________ Remember who your loyalties are divided between, and choose for the right reasons who deserves them.

10-27-2006, 01:48 PM	THREAD STARTER #4 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Thanks guys - and yes; its always a good idea to move SSH off the main IP, and if possible instead (or as well as) passwords, use IP detection (i.e only let your IP login). I plan on doing a second part which will focus more on server security as a whole rather than just SSH. Rick __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

10-29-2006, 06:59 AM	#7 (permalink)
Joe Senior Member Join Date: Oct 2005 Location: Kent ~ U.K. Posts: 3,209	nice rep added Joe __________________ Myself and "JackHeskett" are no longer associated with FusedHosting.net. Please pipe all PMs to admin [at] fusedhosting.net.

10-28-2006, 05:58 AM	#5 (permalink)
argh2xxx NamePros Member Join Date: Feb 2006 Posts: 114	Your way is good, but I also do it this way. To effectively secure your ssh even further, you need to do: vi /etc/ssh/sshd_config 1) change the #Protocol 2,1 to Protocol 2 (remember to remove the remark since it's a comment) 2) change the PermitRootLogin yes to PermitRootLogin no 3) change the PermitEmptyPasswords no to PermitEmptyPasswords no 4) change Banner /some/path to Banner /etc/issue

10-28-2006, 10:02 AM	#6 (permalink)
RedNecker Account Suspended Join Date: Oct 2006 Posts: 7	Thanks cool guide

11-07-2006, 07:33 PM	#8 (permalink)
Echelon17 NamePros Member Join Date: Apr 2006 Posts: 101	Hmm, nice tutorial, but no mention of firewalling the SSH port (iptables) or even using the hosts.deny and hosts.allow files to deny/allow access to individual IP's. Perhaps extend it to cover those too? __________________ Are you a freelancer? www.skillsharing.co.uk

11-07-2006, 11:45 PM	THREAD STARTER #9 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	I plan on adding a second part which will cover firewalls as well as other methods of securing your server. Rick __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

11-20-2006, 04:10 PM	#10 (permalink)
-GWS- NamePros Regular Join Date: Jan 2006 Location: OH Posts: 374 Follow @LiquidShock	Hello, I have done most of these things but I am curious as to know if it is working. I took a new server and installed BFD and changed the SSH port (plus other things) but I dont know if it is working. On all my other servers I get about 3-5 emails each a day from BFD saying it is working. But I have gotten no emails from the new one that has SSH on a different port. Can I check to see if it is working just by using the wrong password to log in on the new port? I dont know if I am not getting email because something is not set up right with it or if moving it to a different port has that much of an effect. __________________ Liquid Shock Games

11-20-2006, 11:40 PM	THREAD STARTER #12 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Yep, as Echelon17 stated. Once you've moved the port you are likely to get very few if any access attempts on the new port as its all done through use of automated bots that spend hours trying to crack the password. __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

11-21-2006, 01:37 AM	#13 (permalink)
bbalegere Senior Member Join Date: Jul 2005 Location: Bangalore Posts: 1,270	Rep added. Bookmarked the link in del.icio.us Why don't you submit it in digg? __________________ Fire-Power Blog-AgniPulse.com Internet speed test PPC search Web site hosting review Computer Auctions Computer running slow

11-21-2006, 07:20 AM	THREAD STARTER #14 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Never really thought about that Will do it now though...thanks for the suggestion __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

02-17-2007, 04:07 PM	#15 (permalink)
YesBrilliant Account Suspended Join Date: Sep 2006 Posts: 1,059	Nice step-by-step tutorial. Thanks for sharing. Rpd!

02-19-2007, 07:56 PM	#16 (permalink)
AzN is on hiatus Join Date: May 2006 Posts: 2,449	Repped however on Debian Sarge it was /etc/init.d/ssh restart Great job! __________________ Currently on hiatus. Back whenever.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

03-13-2007, 09:18 PM	#17 (permalink)
NewYorkBum NamePros Regular Join Date: Jan 2007 Posts: 241	if you really paranoid about your ssh, then move to key based authentication on the top of moving ssh to another port AND ip

03-14-2007, 03:29 PM	THREAD STARTER #18 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Its not a case of being paranoid....its a case of common sense key based authentication isn't something that most people require....its a good way to secure it....but not a must have. __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

03-17-2007, 06:05 AM	#19 (permalink)
rahxephon85 NamePros Member Join Date: Dec 2006 Posts: 48	Great Guide!

03-17-2007, 01:56 PM	THREAD STARTER #20 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Thanks __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

04-02-2007, 07:58 AM	#21 (permalink)
eth01 Account Suspended Join Date: Apr 2007 Location: UK Posts: 24	If you ever find yourself in the situation of being attacked by a certain person, you can always trace back the IP'S and Subnets. Then using IPTABLES block it. I have found that most effective.

05-10-2007, 01:15 AM	THREAD STARTER #22 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Just a note, the article has moved to HERE...I've updated the link above too...the old link will still redirect to the new one for the time being. __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'