sshd_config

[MerePeer]

When out on the road I want to ssh into my home net. I've setup a dyn dns name, and I directed my router to fwd ssh traffic to my linux box. I altered sshd_config to have
PermitRootLogin no
AllowUsers myusername

All of which enabled me to ssh in and feel somewhat secure.

But reviewing my /var/log/auth.log Im getting lots of unwelcome and unsuccessfull breakin attempts. With enough tries (currently occurring every 2 seconds) I'm concerned those bad boys might eventually crack my uname and pwd.

Should I somehow shutoff pwd authentication and just make sure I carry around my id_rsa private key and use it on the inbound pc? How do you road warriers practice safe ssh?

[Bok]

I've been doing it for years and have probably had multiple millions of attempts to get in without success...

Anyway, what I tend to do is port forward some other port like 8456 or so to 22 on a machine and make sure it has a password which is not easily crackable. 8 digits with numbers and upper/lowercase virtually guarantees that any password generator won't get in...

BOk

[LAURENU2]

Use the best password Team_Free-DC It is almost unbeatable

[PY 222]

Use the best password Team_Free-DC It is almost unbeatable

I don't know about that Lauren.

MerePeer, I get hit from this bruteforce attacks all the time and when it gets bad, I got logs worth MBs on a daily basis from my Logwatch.

Just change the default port to something else like what Bok recommended and you should eliminate alot of the bruteforce. Also, a strong password is very important.

[guru]

Yea, I had the same issue so I just changed the port on my firewall to 223 and had it forward the the standart port 22 on my internal server. SSH login attempts went away after that.

[IronBits]

You guys are sneaky and sharp!

[PCZ]

I do the same thing with Terminal Services.
Let the router translate a high port number on the outside to 3389 on the inside.

[Darkness Productions]

Another thing you can do, if you only log in from certain IPs (this doesn't work so well if you need to log in from all over) is set up an iptables rule to block requests to port 22 unless they come from a specific IP...

It looks like this:

Code:

$IPTABLES -A INPUT -p tcp -i $WAN -d $SOURCE_IP --dport 22 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED

There's also a ssh bruteforce killer in iptables:

Code:

$IPTABLES -A INPUT -p tcp -i $WAN --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Which basically says that if there are 4 attempts in under 60 seconds to port 22, then start dropping requests from that IP.

[Digital Parasite]

Good suggestions everyone. I have my firewall set to block the SSH port, with exceptions from the IP's I usually use. But that won't work if I'm travelling so I also have port-knocking setup so I can access the server when I need to from any IP if I know the correct "knock".

[MerePeer]

I picked a new port and told the router to forward it instead of 22, then I setup a second ssh daemon with its own config file with a new "Port", "PidFile", and a new "AllowUsers" with 1 new user which has a complex password. After I ssh in I can just su.
I left the original daemon on port 22 (lan access only) to make it easier when working inhouse.
Thanks for the advice!

[QIbHom]

Just don't do what I did earlier this week, MeerPeer, and spend 2 days madly editing /etc/ssh/ssh_config, and wondering why it wasn't working...

[gopher_yarrowzoo]

yeah much like me with apache httpd files not got it 100% and Im thinking of upgrading im using a package (see other thread which right now I can't be bothered linking too it's been a long day)