A ssh server is the most common way to access a server which is connected to the internet. Everybody who knows a userid and password or guesses them can access the server if the standard ssh configuration is used. If he succeeds to get root access the server can be compromized by the attacker and will be used as ftp-server, DOS client, mail SPAM sender ... and the owner of the server is liable for any activities of the attacker. That's awkward and can become quite expensive. The following page describeshow to modify the sshd config file to make the ssh server secure and protectagainst any attacks.

 That's why you have to careful think about how you protect your server when you setup a server in the internet.


Following config is mandatory:
  1. Disable root access with ssh
  2. Allow access with ssh keys ony. Otherwise make sure secure passwords are used only
  3. Reduce the access to a minimum
  4. Deny ssh attacks
Following sshd_config parameters should be used:
  1. PermitRootLogin no
  2. Protocol 2
  3. AllowGroups users
  4. AllowUsers xxx yyy zzz, xxx, yyy and zzz are user who are allowed to access the system with ssh
  5. ClientAliveInterval 15
  6. LoginGraceTime 10
  7. PubkeyAuthentication yes
  8. PasswordAuthentication no
  9. MaxAuthTries 3
  10. MaxStartups 1
  11. PrintLastLog yes
  12. KeepAlive no
See my sshd_config as an example.
 
Use the following procedures to reject ssh attacks:
  1. Install http://denyhosts.sourceforge.net/. This blocks all IPs which try ssh attacks
  2. Us port xx where xx is an unused port. That way all the script kiddies are unsuccessfull.
  3. Add following lines in SuSEfirewall2-custom. They delay all ssh attacks and make them useless:
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --set --name SSH
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --update --seconds 1200 --hitcount 2 --rttl --name SSH -j LOG --log-prefix SSH_brute_force
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --update --seconds 1200 --hitcount 2 --rttl --name SSH -j DROP

  4. Create a VPN. That way the ssh port is not visible and accessible.
  5. Use Hosts.allow/.deny
 
References:
 

Add comment

Spam Kommentare sind sinnlos !
Vor der Publizierung wird jeder Beitrag auf Spam geprüft. Leider dauert es deswegen bis ein Kommentar sichtbar wird. Dafür erhält aber kein Subscriber Spam eMails.
Die eMail ist optional und nicht öffentlich sichtbar. Sie ist notwendig um eMail Benachrichtigungen zu Antworten auf Kommentare zu erhalten und wird u.U. genutzt um offline zu kommunizieren.

Spam comments are useless !
Any comment will be reviewed first and checked for spam. Unfortunately this delays the publishing of comments but will protect subscribers from spam.
eMail is optional and hidden and is required get update notifications for any comments and may be used to contact you offline