[svlug] Firewalls?

Nick Austin nick at smartaustin.com
Wed Jan 24 00:25:09 PST 2007


On Tue, Jan 23, 2007 at 09:32:22PM -0800, Rick Moen wrote:
> Quoting Raj Shekhar (rajlist at rajshekhar.net):
> 
> > This has come up once earlier too on this mailing list.  IIRC, the 
> > methods that were recommended were (in no particular order)
> >   - change the sshd listener port
> 
> This puts you thereafter to the indignity of having to type "ssh -p
> 8080 ..." and "scp -P 8080..." and such, for no actual gain in security,

You can add the host parameters to your .ssh/config.
Something like this:

host foo
  user bar
  port 8080

If you change the port, then you'll likely avoid the theoretical new automated
sshd attack before you have a chance to read about it on slashdot, and patch
your daemon.

Also, if you change it to port 443, then you're more likely to be able to
connect to your ssh port though more proxies and firewalls.

> >   - allow only key-based logins
> 
> This actually does something -- at the cost of making you need to always 
> have handy your public-key credential.  Which, by the way, can get stolen 
> as well (if used on a compromised host).

If you're trying to defend against that attack, then an OTP (One Time Password)
solution is likely the best way to go.

As you said before, knowing the threat you're protecting from is very 
important.

> >   - use denyhosts (http://denyhosts.sourceforge.net/)
> 
> Insanely over-elaborate.  Cheswick and Bellovin would weep.  
> 
> At least the author finally and belatedly added an option to expire the
> /etc/hosts.deny entries

A great feature, if you're having trouble with your own password/login.

> making it less likely someone can cause you to
> DoS yourself by sending spoofed traffic.

I know that IT people hate saying things like "impossible", but in this case
the theoretical attack is so unlikely, that it can be said:

Spoofing your IP source on an SSH login without access to the return traffic
is impossible.

> >   - someone pointed to this netfilter magic 
> > http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks
> 
> Much more sound and better engineered than denyhosts, and at least he

It may be better then denyhosts, but it is not as good as a tool like
sshblack: http://www.pettingers.org/code/sshblack.html

The iptables method listed above will block legitimate users who perform many
logins in a row. The sshblack solution will only block users who are failing
ssh logins.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20070124/f04a7fc6/attachment.bin


More information about the svlug mailing list