SSH Configuration Tips from SANS - Internet Storm Center

The SANS Internet Storm Center has been keeping an eye on some SSH brute force attempts that appear to be from a script kiddie trying to break into systems. There also is a write up which is easier to get to detailing the attempt to break into a Honey Pot on their HoneyNet Analysis page.

One of the tips they offer up on their Internet Storm Center Diary page is with the SSHd configuration file. The main suggestions is to limit the accounts that can log in to SSHd and tighten up the other parameters so the time frame that someone can log in is limited, Their recommended settings are:
PermitRootLogin no
AllowUsers userA userB userC
Protocol 2
LoginGraceTime 20s
MaxStartups 5
Banner /etc/ssh/sshd_banner
also ensure your users use strong passwords.

A second tips is one which I've talked about before and that is to run SSH on a different port than normal, but you have to check that your users systems know where to look for SSH too. Currently it seems that the SSH scanning are on the standard port and are not going beyond that.


To return to the main directory for the SSH tutorials.

Group or World writeable Directories in root's PATH

Start by typing echo $PATH. The results will tell you where the shell will search for executable files. A null entry in your PATH equates to the same thing as a dot. Including the current working directory either with a "." or by "::" makes it possible for a hacker to gain superuser privileges by forcing an administrator operating as root to execute a Trojan horse program.

The shell variable PATH defines the path and the order of priority for executable files on the system. Alternative paths are separated by a colon (:). The current directory can be specified by two or more adjacent colons, or by a period in between two colons. Path will search each directory in the order specified within the $PATH variable for an executable file that matches the name of the file you are trying to execute.