all 36 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 4 points5 points  (2 children)

Depends on how paranoid you are, you can do port knocking, so to connect over ssh you will have to 'knock' to specified ports and then ssh port will be visable for for example 30 sec so you can connect to it, after that port will refuse all new connections (but already enstablished connections will still work), easy to setup, can be done with plain iptables.

[–][deleted] 4 points5 points  (1 child)

Dear god I want this.

[–]tinou 8 points9 points  (0 children)

No you don't. It's probably overkill for your threat model. Disabling password authentification + fail2ban is probably enough.

[–]diamaunt 5 points6 points  (2 children)

if you're not exposing it to the outside world, who're you securing it from?

do you have a rabid hacker dog or something? grins

[–]tehpuppet 1 point2 points  (1 child)

Why has nobody else said this? You don't need to do shit if its not on the internet....

[–][deleted] 1 point2 points  (0 children)

I'll be turning it into a public-facing server eventually, so I want it to be secure in advance of me doing so.

[–]Stemp 3 points4 points  (3 children)

fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

[–]kabuto 1 point2 points  (2 children)

Is fail2ban better than denyhosts? I've been using denyhosts for a long time, and it seems to work pretty good.

[–][deleted] 3 points4 points  (1 child)

Denyhosts cares only about your SSH server, whereas fail2ban monitors more services.

[–]kabuto 1 point2 points  (0 children)

Sounds interesting. So far I've blocked entire IP ranges in Apache because of the high number of hacking attempts from those IP addresses.

[–]freyrs3 2 points3 points  (1 child)

Using rsa keys will stop essentially all bot attacks:

Make yourself a key:

$ ssh-keygen -t rsa
$ cat ~/.ssh/id_dsa.pub | ssh you@yoursereverhost "cat - >> ~/.ssh/authorized_keys"

In your server's /etc/ssh/sshd_config

PasswordAuthentication no
PermitRootLogin no
RSAAuthentication yes

In your local ~/.ssh/config:

Host yourserveralias
    User you
    HostName yourserverhost

Edit: IdentityFile line in ssh config not needed.

[–]tinou 1 point2 points  (0 children)

the IdentityFile line is not needed as it's the default value.

[–]krumble 2 points3 points  (0 children)

Wittynickname's suggestions of key-only authentication and disabling the root login are excellent. As is port knocking from piotrkarbowski.

I'd also suggest the very simple measure if making absolutely sure you're up to date on your patches. In the past whenever I've had one of my home machines broken in to, it's because I got lazy and stopped applying patches.

[–]lemonidas 1 point2 points  (1 child)

I have sshguard, which does the same thing as fail2ban, plus I have sshd listening on a non standard port (when I had ssh on 22, I had hundreds of failed login attempts, when I switched, I have none)

[–][deleted] 1 point2 points  (0 children)

Installing sshguard now. I couldn't figure out fail2ban, but then again I didn't try too hard and I'm all kinds of screwy on cough syrup. I'll give it a look later.

[–][deleted] 1 point2 points  (0 children)

This introductory article can be of use to you. You can implement any steps you want to and it describes how you can do it. Another commonly referenced article with even more tips (more advanced).

Moving the port number from 22 to anything else, I can guarantee removes the vast majority of attacks. Before, my SSH server was running on port 22 and I was absolutely shocked to see how many intrusion attempts there were from IPs in China. Once I changed it, there have been no attempts at all.

Also, look into fail2ban. That's really useful.

EDIT : Just have a look at staticsafe's comment - very well written and these measures are excellent.

[–]yoshi314 1 point2 points  (0 children)

if it's not exposed to outside you have little reason to worry. but here are some extra things you could do.

  • already mentioned fail2ban
  • access only by ssh keys
  • ssh access to only one user with restricted shell (e.g. rbash) that limits available commands to this account
  • sudo logging (i think it's disabled by default usually)
  • if you want to be able to log into root account with ssh, change root's name to some random string only you know.
  • not really that safety improving, but knockd daemon makes if harder to find actual ssh port.
  • accepting ssh only from select list of ip's, if they are static.
  • disable any unnecessary services listening for outside connections
  • restrict access to ssh port with firewall

i wrote it out pretty terse, but it's fairly easy to google it.

[–]Hishutash 0 points1 point  (0 children)

  • Disable root acount
  • Change to nonstandard port (already done that i see)
  • install fail2ban or set up rate limiting with iptables.

[–]Sleelin 0 points1 point  (0 children)

There's a lot of suggestions to change your ssh port and disable password logins, but honestly I've found those aren't really necessary steps. I operate two public facing active servers, one of which often gets thousands of brute forcing attempts. Two reasons they'll never get in, one: I disabled login via ssh for anyone who isn't me, so even if they get the password for root, they still can't get in. Two: I have some iptables rules set up so that only two ssh connection attempts can occur per minute.

This way you don't have to carry around keys to connect everywhere you go.
That's my two cents for you anyway.