Changes

From Amahi Wiki
Jump to: navigation, search

Secure SSH against brute force attacks (view source)

Revision as of 06:09, 30 August 2013

1,371 bytes added ,  06:09, 30 August 2013
no edit summary
With more and more people installing Amahi we have more and more Amahi's exposed to the internet when people start opening up ports in their routers to be able to access their servers remotely. Since SSH is used by many this is often also exposed outwards. This opens up for SSH brute force attacks (which can be both fast and effective).
To bring some kind of default protection to the platform against this I purpose that we include the following iptable rules by default
[root@dahome ~]# iptables --list
target prot opt source destination
There are many more or less elaborate ways of doing this, but these three simple rules add good basic protection. This will allow a couple of failed SSH login attempts and then add a 60 second cool down. Effectively killing any interest in brute forcing the server in question.To add these rules run the following as root  iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved. To save netfilter rules, type the following command as root  iptables-save > /etc/sysconfig/iptables<b>NOTE:</b> This actually doesn't work for F19. They have changed things. So you will lose the settings on reboot and have to manually enter them again. Will update once I found the correct way for F19. What you can do for now is to create a simple script that executes the following on start up to restore the rules saved above  iptables-restore < /etc/sysconfig/ipdtables  = Disable root ssh access = 
Another tip is to disable root ssh access if you don't really need it since that is one of the most common user names used when brute forcing.
and you will not need to type the -p in ssh or other programs that use ssh, like rsync, when accessing your host.
 
= Other Techniques =
 
Other techniques, in some case more advanced, include:
 
* [http://www.linuxjournal.com/article/8957 Dual-factor authentication]
* [https://www.linux.com/learn/tutorials/351079-weekend-project-secure-your-system-with-port-knocking Port knocking]
Inquam
24

edits

Retrieved from "https://wiki.amahi.org/index.php/Special:MobileDiff/72962...73016"