comp.os.linux.networking
back to index
From: David Brown
Date: Thursday, April 10, 2008 4:34 PM
Subject: Re: How to PREVENT a user from logging in through SSH
Ignoramus15795 wrote:
> I think that after limiting logon rights to a set of accounts, I am in
> a good shape. These rate limiting rules can easily get me DOSed and
> locked out. (unless the limits are per IP)
>
No, the limits are not per IP (it's probably possible to do that using
iptables - there's modules for all sorts of things). And certainly
limiting your ssh accounts and their login rights are the most important
step for securing your ssh. But I don't think the rate limit rules here
are going to make it more likely to get you locked out by a DOS attack.
First off, when you are looking at defending against DOS attacks, it's
important to analyse the risks. Are you actually a likely target for
such an attack? If you can imagine that someone will have motivation
for attacking your particular machine (financial motives, revenge, or
whatever), then you are perhaps at high risk and must plan accordingly.
For the huge majority of sites, however, there is little risk - a
cracker will pick *your* site more or less at random, and when his ssh
cracking effort is failing due to rate limiting, he will simply move on
to an easier target.
Secondly, if you *don't* have rate limiting enabled, then a DOS on your
ssh port will be far worse, since it will consume more resources on your
system and network - perhaps causing other services to fail as well.
It is also perfectly possible to avoid the possible problem in at least
two different ways. If you have a fixed IP address from your remote
location (such as your home office), then you can simply insert a rule
ACCEPTing all ssh packets from that address (and if you don't have a
fixed IP address, and consider your site a high-risk target, then it's
high time you got such a fixed address. Filtering on IP addresses is
not full-proof, but it's an easy and cheap way of greatly improving your
security).
An alternative method is to have a second server on an independent IP
address (and perhaps even an independent connection to the Internet)
which will act as a backdoor server. Obviously this needs to be equally
secure, but since it is not hosting your website (or other services), it
is a very unlikely target. This machine should then have privileged
access to the main server via an independent Ethernet port (which is
much harder to fake than a privileged source IP address). Then if you
need to, you can tunnel your ssh to the main server via the backdoor
server. You could even drop the Internet-facing ssh access to the main
server altogether - any breakins then need to compromise two machines.
