Best SSH Login Strategy

[gsgleason]

Use a public key encrypted with a passphrase and do not use the default port. Also do not allow root login.

I changed from the default to a random port and I saw a dramatic decrease in the amount of dictionary/brute force attacks.

[Slim Odds]

oh yes it does. I would bet $100 those bot login attempts will go away.

He is not trying to defend himself from a targeted attack....

The "bots" these days are far smarter than that and will scan all ports for all services. It's extremely easy to program this and "bots" do not care how hard they have to work.

I had an ssh server listening on port 23 (which is the standard FTP port) and I still got plenty of SSH login attempts.

[Bachstelze]

I had an ssh server listening on port 23 (which is the standard FTP port) and I still got plenty of SSH login attempts.

The FTP port is 21. 23 is the Telnet port.

[San_SS!]

The "bots" these days are far smarter than that and will scan all ports for all services. It's extremely easy to program this and "bots" do not care how hard they have to work.

I had an ssh server listening on port 23 (which is the standard FTP port) and I still got plenty of SSH login attempts.

Port 23 is telnet's standard port, which is also a target for bot scans. Once the bot knows a port is open they usually fingerprint the service running in that port.

If you want to avoid this bot attacks you should move your ssh service to a high, not common port like 10000 (choosing port 8080 or 6667 is also a bad idea). In that way you will avoid the service of being detected by average scans.

Of course this does not increase the security of the host but at least will make your log more readable and you'll be able to detect specific attacks against you.

[mikejonesey]

did i hear $100, so if i create a honey pot on port 9999 and if it gets scanned in a couple of weeks i get $100?

ok ok, as was said earlyer use a usb stick to cary a key with you, if that is not possible use ssl to secure an online login where you can download the key from. This will aid in the defence from mitem attacks althogh still far from best... i don't even open port 22 to the wan...

i too recomend you use a usb device to carry a key around with you.

i too recomend denyhosts if you are to enable password auth to the wan (expect alot of emails)...

also if you are open to the wan protect yourself from the latest vulns by ensureing your software is up to date!

also switch of all headers that can identify you software versions wether it's ssh/apache/tomcat/ftp/mail whatever...

also yes bots only use weak/boaring passwords, however they also post back details on software versions found... could make you a next targeted attack...

and for info on port scan it takes me around 40min to scan 10000 ports...

also firewall your server!

there are 3 major ip ranges that can easily be blocked: european, asian and us... choose the acordingly...

[Slim Odds]

The FTP port is 21. 23 is the Telnet port.

My mistake, I did have it on 21.

Point being was that it STILL got SSH hits.

[Hack.The.Pow.]

thanks for all the advice guys. I ended up just setting up public/private key authentication. I figure I can make all the files I need to access available through http and email myself for all the files I want to put back on the server.

I have also installed fail2ban. I'm not entirely sure if its working as I pretty much have the default config installed. when I run sudo iptables -L I find this though. Not sure if it means that it is working or not.

Code:

jonzo@jonzo-station:~$ sudo iptables -L
[sudo] password for jonzo: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

As for a firewall I'm not doing anything with iptables(as you can see) or any other firewall. I am sitting behind a router that forwards port 80 and 22(i will consider changing the port for ssh). Is this adequate or does it still leave me at risk?

[boast]

I guess I must just be a special case where I haven't gotten a single ssh login attempt in years being a different port (for a home server, not some commercial server).

[San_SS!]

You're not a special case. Same happened to me and most people I know who did the same.

[sh4d0w808]

You're not a special case. Same happened to me and most people I know who did the same.

Don't care, changing the default ssh server port number does NOT in ANY way improve the security...

I also had a lot of attempts on port 22, changed to a higher one, there is no hit. I think I will put it back to 22 with an installed IDS and fail2ban.