[TriLUG] SSH Probing...

Greg Brown gregbrown at mindspring.com
Wed Mar 13 09:10:07 EST 2002


I'm still in learning mode when it comes to Linux and security but this talk 
of ssh attacks has alarmed me somewhat.  Would the following ipchains 
configuration be considered "secure" in most cases (eth1 connects to the 
cable modem and eth0 is the "inside" network interface)?

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A forward -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j MASQ
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j DENY -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth0 -p 6 -j ACCEPT 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 465:465 -i eth0 -p 6 -j ACCEPT 
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y

Is there an on-line FAQ detailing how to make ssh more secure?

Greg


On Wednesday 13 March 2002 08:41 am, you wrote:
> JoJo wrote:
> > I have already had an ssh attack on one of my servers.  What are you
> > using to spot this? How can I prevent ssh attacks besides turning off
> > protocol 1 and disallowing root logon for ssh.
>
> I compiled my ssh/sshd version with the '--with-tcp-wrappers option',
> and then I control access with /etc/hosts.{allow,deny}.  I make use of
> the tcp_wrappers "spawn" capability to email me whenever someone tries
> to make unauthorized access via tcp_wrapped services.  Needless to say,
> the file containing break in attempts and port scans is pretty large
> after three or four years of doing this.
>
> Paul



More information about the TriLUG mailing list