SSH Security through Obscurity
The SANS site has a good writeup on SSH security through obscurity. Recently there have reports of SSH scanning and brute force attempts. The handler's diary entry for Aug 30th talks about moving the SSH port to a different port, which puts up a small speedbump when hacker's try to access your SSH server. They point out an important issue that if a script kiddie is doing a general scan they should pass over your SSH server and mark it as not being accessible. If a hacker is focusing on your individual system then they will most likely be doing a full scan of your system. The handler who posted these suggestions has his own site.
The first step is to open three SSH connections to the box. His reasoning for this is that if anything happens you still have some connections open to the remote server. Next edit the /etc/sysconfig/sshd file by adding the port number to the "OPTIONS" line (OPTIONS = '-p 1011')
The next step is to configure TSP wrappers and set the firewall to allow incoming connections on the new port.
The next command to type is to restart sshd by /etc/init.d/sshd restart
The primary daemon will restart and the existing connections will remain open for emergencies on the old ssh port 22.
The next step is to edit the ssh config file by adding the following line( Host mysshserver Port 1011)
Now connect to the server with the command ssh mysshserver
everything should work and you should be in, if not you can use one of the other open connections to trouble shoot things or revert back to the previous settings.
Thanks bill for the good tips
UPDATE******
Other users on the SANS site logged in on AUG 30th regarding additional security measures which can be used with SSH . Some of the additional suggestions are to use your firewall to restrict who is allowed to connect to the port. Also in the sshd_config file set "PermitRootLogin no" and "PasswordAuthentication no".
The first step is to open three SSH connections to the box. His reasoning for this is that if anything happens you still have some connections open to the remote server. Next edit the /etc/sysconfig/sshd file by adding the port number to the "OPTIONS" line (OPTIONS = '-p 1011')
The next step is to configure TSP wrappers and set the firewall to allow incoming connections on the new port.
The next command to type is to restart sshd by /etc/init.d/sshd restart
The primary daemon will restart and the existing connections will remain open for emergencies on the old ssh port 22.
The next step is to edit the ssh config file by adding the following line( Host mysshserver Port 1011)
Now connect to the server with the command ssh mysshserver
everything should work and you should be in, if not you can use one of the other open connections to trouble shoot things or revert back to the previous settings.
Thanks bill for the good tips
UPDATE******
Other users on the SANS site logged in on AUG 30th regarding additional security measures which can be used with SSH . Some of the additional suggestions are to use your firewall to restrict who is allowed to connect to the port. Also in the sshd_config file set "PermitRootLogin no" and "PasswordAuthentication no".
<< Home