comp.os.linux.networking
back to index
From: Ignoramus9437
Date: Thursday, April 10, 2008 4:52 PM
Subject: Re: How to PREVENT a user from logging in through SSH
On 2008-04-10, David Brown
> Ignoramus15795 wrote:
>
>> I think that after limiting logon rights to a set of accounts, I am in
>> a good shape. These rate limiting rules can easily get me DOSed and
>> locked out. (unless the limits are per IP)
>>
>
> No, the limits are not per IP (it's probably possible to do that using
> iptables - there's modules for all sorts of things). And certainly
> limiting your ssh accounts and their login rights are the most important
> step for securing your ssh. But I don't think the rate limit rules here
> are going to make it more likely to get you locked out by a DOS attack.
>
> First off, when you are looking at defending against DOS attacks, it's
> important to analyse the risks. Are you actually a likely target for
> such an attack? If you can imagine that someone will have motivation
> for attacking your particular machine (financial motives, revenge, or
> whatever), then you are perhaps at high risk and must plan accordingly.
> For the huge majority of sites, however, there is little risk - a
> cracker will pick *your* site more or less at random, and when his ssh
> cracking effort is failing due to rate limiting, he will simply move on
> to an easier target.
I can see being a target of a specific person (not that I know of
anyone, but USENET and all, it is possible). I have a strong server on
a good network, and it is not easy to bog it down with ssh requests.
> Secondly, if you *don't* have rate limiting enabled, then a DOS on your
> ssh port will be far worse, since it will consume more resources on your
> system and network - perhaps causing other services to fail as well.
disagree
> It is also perfectly possible to avoid the possible problem in at least
> two different ways. If you have a fixed IP address from your remote
> location (such as your home office), then you can simply insert a rule
> ACCEPTing all ssh packets from that address (and if you don't have a
> fixed IP address, and consider your site a high-risk target, then it's
> high time you got such a fixed address. Filtering on IP addresses is
> not full-proof, but it's an easy and cheap way of greatly improving your
> security).
>
> An alternative method is to have a second server on an independent IP
> address (and perhaps even an independent connection to the Internet)
> which will act as a backdoor server. Obviously this needs to be equally
> secure, but since it is not hosting your website (or other services), it
> is a very unlikely target. This machine should then have privileged
> access to the main server via an independent Ethernet port (which is
> much harder to fake than a privileged source IP address). Then if you
> need to, you can tunnel your ssh to the main server via the backdoor
> server. You could even drop the Internet-facing ssh access to the main
> server altogether - any breakins then need to compromise two machines.
I use backdoors a lot in form of SSH tunnels, and this could be a very
good idea.
i
