Securing your ssh server

I like to SSH in from all over the place, and so a default deny iptables policy would be a disaster for me. After some research, I went ahead and blocked all of China and Korea using iptables.<p>For anyone curious I put my modified iptables rules up at <a href="http://pastebin.com/UPL3w6FQ" rel="nofollow">http://pastebin.com/UPL3w6FQ</a><p>Backstory:<p>I wrote a quick django app that watches fail2ban logs and plots a heatmap of where in the world the attacks are coming from. After watching this for a bit I found that most of these attacks originate from Chinese and Korean IP space. So I set out to block all of China and Korea.<p>After some googling, I found that okean.com maintains a handy SMTP Chinese/Korean iptables ruleset at <a href="http://www.okean.com/antispam/iptables/rc.firewall.sinokorea" rel="nofollow">http://www.okean.com/antispam/iptables/rc.firewall.sinokorea</a>. I took their rules and modified it to drop all traffic from these IPs instead of just port 25.

<i>"Use a non-standard port: I'm not a big fan of security through obscurity and it doesn't work well for ssh."</i><p>When I had sshd running on the standard port on my MacMini, it would often slow down and start spinning the fan like crazy while some cracker was bruteforcing accounts and passwords. Now that I have it on a non-standard port, that never seems to happen anymore.

When I ran OpenBSD I used to block on repeated failed attempts(see: <a href="http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFORCE" rel="nofollow">http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFOR...</a>).<p>I used to change ssh's port, but not anymore. If a bruteforce attack is a threat to you, then you are better being compromised by a random script kiddie or spammer than by a targeted attacker looking after your data. Take that scans as free, low skilled, penetration tests.

Here is an app idea I had: a daemon runs, and it opens 20-30 ports. These ports simulate ssh/telnet/imap servers, at least for limited interactions, but do not actually do anything. They may also run slowly, to consume time on the part of the attacker.<p>When a user connects to these phony ports, their IP is blocked, or at least blocked from the ports which run legitimate services.<p>Are there any similar programs, or perhaps some flaw with this idea that I'm not seeing?

Anecdote: I know I'm not a very big target, but disabling password authentication and using fail2ban has kept all of my servers and home machines safe and hacker free for multiple years now. Even during the Debian SSH key fiasco, fail2ban would lock out would-be brute-forcers early enough that they weren't able to exploit my weak SSH key before I could get home from vacation, regenerate my key, and distribute it to all my machines.

You can use simple iptables rules to block brute forcing, while still leaving things open for you on standard ports:<p><a href="http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html" rel="nofollow">http://www.digitalsanctuary.com/tech-blog/debian/using-iptab...</a><p>Although now I've moved to CSF which does this and much much more.

I firewall off the SSH port for one minute after 4 unsuccessful logins in one minute:<p><pre><code> -A SSH_CHECK -m recent --set --name SSH --rsource -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable -A SSH_CHECK -p tcp -m tcp --dport 22 -j ACCEPT </code></pre> This is in addition to default REJECT for everything that I don't explicitly allow.<p>(Incidentally, the kernel I'm running doesn't support this for ipv6 addresses... so you can bruteforce my ssh server over ipv6 for as long as you want. But fortunately, it's hard to automatically scan the entire ipv6 address space :)

I run a script every 15 minutes from cron that updates my iptables rules based on a whitelist of dynamic dns entries. That lets me logon from my laptop wherever I happen to be.

Two links I remember liking the last time I wrote iptables rules:<p><a href="http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks" rel="nofollow">http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_atta...</a><p><a href="http://www.la-samhna.de/library/brutessh.html" rel="nofollow">http://www.la-samhna.de/library/brutessh.html</a>

I use firehol (firehol.sf.net) along with knockd. Combined, it <i>seems</i> to be a rock-solid defense. The firewall will simply drop packets until someone enters the proper knock.

Just a quick one on ports, changing them is a fantastic way to stop brute force attacks, and adding something like denyhosts reduces this even further. I used to have a 1024+ port for my ssh until I found out that if a regular user has access to your box already, if they can cause the SSH daemon to die somehow they can spawn a new process on that port (as 1024+ ports can be used by non-root users) and capture your password.<p>I know it's pretty tin foil hat of me but another layer is always good.

Use OSSEC ( <a href="http://ossec.net" rel="nofollow">http://ossec.net</a> ) to monitor the logs/system for attacks. Not only brute force, but all sort of stuff.<p>*open source.

How should I do secure the ssh server on a Mac (running Snow Leopard)?<p>I tried using denyhosts (also mentioned in the article), but OSX 10.6 is ignoring /etc/hosts.deny, and it doesn't come with iptables. I do not want to disable passwords (i.e. use key-only authentication), since I tend to ssh to my home machine from various computers. And I can't change the port number due to firewall issues at my office.<p>Any other ideas?

If denying SSH isn't an option, you could try PortKnocking. It's not secure in itself, but it's useful if you're wanting to dynamically allow IPTables access to SSH. I knocked (no pun intended) up a quick Perl script to implement this on Redhat based systems: <a href="http://jdlawrie.co.uk/scripts/PortKnocker.txt" rel="nofollow">http://jdlawrie.co.uk/scripts/PortKnocker.txt</a>

I just started using gpg-agent to do my ssh authentication via my crypto-stick (An OpenPGP smartcard with the reader built in.) I'm totally sold on it. It's got a hardware lockout so it can't be brute forced. The actual private key never touches the client machine's memory. And its reasonably cheap.

What's the best way of dealing with the chicken-and-egg problem of initial login when using PKA? Should login be denied until the private key is uploaded via something other than ssh?

For what it's worth, changing port 22 to something "obscure" is an excellent idea: it separates the script kiddies and bots from real hackers trying to pwn the box. Your log files will contain only hack attempts that should be of concern.<p>Comments and critiques regarding the following script are most welcome.<p><pre><code> #!/bin/bash # Rules: # http://www.newartisans.com/2007/09/neat-tricks-with-iptables.html # Sel also: # https://help.ubuntu.com/community/IptablesHowTo echo "[SCRIPT] Limit to ports 1222 and 80." iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type any -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1222 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport www -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited echo "[SCRIPT] Ban incorrect SSH login attempts (120 seconds)." iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset iptables -I INPUT -p tcp --dport 1222 -i eth0 -m state --state NEW \ -m recent --set iptables -I INPUT -p tcp --dport 1222 -i eth0 -m state --state NEW \ -m recent --update --seconds 120 --hitcount 4 -j DROP iptables -P INPUT DROP echo "[SCRIPT] Drop spoofed IP addresses." iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 224.0.0.0/4 -j DROP iptables -A INPUT -d 224.0.0.0/4 -j DROP iptables -A INPUT -s 240.0.0.0/5 -j DROP iptables -A INPUT -d 240.0.0.0/5 -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 239.255.255.0/24 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP echo "[SCRIPT] Limit spamming PINGs." iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -p icmp -m icmp -m limit --limit 2/second -j ACCEPT echo "[SCRIPT] Drop packets with an invalid state." iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP echo "[SCRIPT] Drop SYN,FIN invalid ordering." iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP echo "[SCRIPT] Limit RST RST spam." iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST \ -m limit --limit 2/second --limit-burst 2 -j ACCEPT echo "[SCRIPT] Restrict port scanners for 24 hours." iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A INPUT -m recent --name portscan --remove iptables -A FORWARD -m recent --name portscan --remove echo "[SCRIPT] Drop scans on port 139 (Microsoft)." iptables -A INPUT -p tcp -m tcp --dport 139 \ -m recent --name portscan --set -j LOG --log-prefix "Portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 \ -m recent --name portscan --set -j DROP iptables -A FORWARD -p tcp -m tcp --dport 139 \ -m recent --name portscan --set -j LOG --log-prefix "Portscan:" iptables -A FORWARD -p tcp -m tcp --dport 139 \ -m recent --name portscan --set -j DROP iptables-save &#62; /etc/network/iptables printf '#!/bin/sh\niptables-restore &#60; /etc/network/iptables\n' &#62; /etc/network/if-pre-up.d/iptables chmod 754 /etc/network/if-pre-up.d/iptables</code></pre>