[nzlug] Server initiated SSH session
Nick 'Zaf' Clifford
zaf at nrc.co.nz
Mon Feb 25 13:34:35 NZDT 2008
Michael Hutchinson wrote:
> <snip>
> I want to connect to our mail server at work, via SSH. It is publically
> addressable, but not for SSH - we have had hack attempts on SSH before
> so we blocked SSH in the firewall, except from the internal network.
>
<snip>
I know its stupid, but the easiest way to work around SSH hack attempts
is to move it to a different port. You can even have SSH listening on
two ports, and simply firewall port 22 from external traffic.
Of course, there are far more technical means to deal with SSH attacks.
* You could use port knocking
* You could setup a firewall entry that limits connections to 4
connections in one minute, with continuous delay (eg if you hit the port
5 times, it blocks all traffic for 1 minutes, if you hit it again within
that extra minute, you get blocked for a further minute. I use this
method (with different timespans) and very very rarely see anyone who
has written a script that deliberately attacks slowly.
* You could force the use of public/private keys only, and then laugh
and laugh and laugh at the feeble dictionary attacks (then cry when you
realize you have 2GB of SSH attack logs)
* You could setup IPv6, and use IPv6's intergrated ipsec authorization
to only accept authorized SSH traffic (Ok, so this isn't practical at
the moment)
Thats just some that I can think of.
Nick
More information about the NZLUG
mailing list