SSH 
Another thousand+ /var/log/messagess entries with brute force ssh re-tries. I was bothered with them since one of my servers got a 6Mbit line. To improve security I did configure the SSH the way it requires the private key and if you do not have it, just disconnects. Simply - the service is not asking for the keyboard-interactive password entry any more. You don't have a right private-key? Drop the session immediately. In the /etc/ssh/sshd_config change:


PubkeyAuthentication yes # allow login via keys (authorized_keys must be filled with public key)
PasswordAuthentication no # disallow users whose keys are not in the authorized_keys file
ChallengeResponseAuthentication no
# do not ask for keyboard-interactive login
# "keyboard-interactive" userauth method
# It allows for an arbitrary sequence of
# server prompts and typed user responses


Allow also only specific user/s to log via ssh. The interactive session for mail/pop/web user is too big deal. To allow only some users, put the directive

"AllowUsers only_my_allowd_ssh_user1 only_my_allowed_ssh_user2"

into sshd configuration file and restart the daemon. Also disable root login and use ordinary user for loggin-in.

AllowRootLogin no

Are you iptables user? Then you can also use the anti syn-flood feature of the iptables and limit number of requests for SSH sessions on time basis.


-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j LOG --log-prefix SSH_brute_force
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable


Above: iptables will allow to open only three login session per minute, if the count is higher, the next syn packets are dropped until the counter clears itself - next minute.

Key management:

When I forgot again which key belongs to which server I realized it will be much easier to manage the keys with script. The following lines of shell do the job. Script generates key-pairs, distribute them to the server and allows you to connect to the server with appropriate key.


#!/bin/bash
while true
do
clear
echo "Generate key ... 1"
echo "Push key ... 2"
echo "Server connect ... 3"
echo "Exit ... x"
echo
echo -n ": "
read option
case $option in
1)
echo "Generatin key"
echo -n "Target srvr: "
read remotebox
if [ -f ~/.ssh/id_dsa_$remotebox ]
then
echo "WARNING: ~/.ssh/id_dsa_$remotebox exists - giving up."
else
ssh-keygen -f ~/.ssh/id_dsa_$remotebox
fi
sleep 8
;;
2)
echo "Pushing key"
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
echo "Using id_dsa.pub: id_dsa.pub_$remotebox"
ls -la ~/.ssh/id_dsa_$remotebox.pub 2> /dev/null
if [ $? != 0 ]
then
echo "Problem with a key"
exit
fi
sleep 5
cat ~/.ssh/id_dsa_$remotebox.pub | ssh $user@$remotebox \
"(mkdir .ssh&>/dev/null; chmod 700 .ssh && cat - >> .ssh/authorized_keys )&&chmod 600 .ssh/authorized_keys"
sleep 5
echo
echo "Please edit the following options in /etc/ssh/sshd_config"
echo
echo "AllowUsers $user"
echo "PermitRootLogin no"
echo "PubkeyAuthentication yes"
echo "PasswordAuthentication no"
echo "ChallengeResponseAuthentication no"
echo "X11Forwarding no"
echo
echo "Press [enter]"
read
;;
3)
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
ssh -l $user -i ~/.ssh/id_dsa_$remotebox $remotebox
;;
x)
echo "Quit"
exit
;;
*)
echo "Wrong"
;;
esac
done



[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | Next> Last>>