SSH security problem

Hi Guys
I use Redhat ES 4.0 on my server
I run a small business with 12 users
I am the only one who uses remote access
I  been  having lately an exessive  number of Brute-Force attacks and am concerned about security.
My router is set up to allow only ssh protocol
router is also set up to bar access while I am not online.  meaning:  server is only vulnerable while I am accessing it remotely.
Soooo
I am looking to limit remote ssh access to one user-id
and restrict remote session to only one at at a time
Meaning:: do not allow a a second remote  ssh login session while one is in progress
Is alternative practical?
Any other alternatives?
Will also consider a commercial solution..
Your help is appreciated
Than you
Dory
dory550Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
There are several ways to manage these automated attacks to ssh

1. There is this scripts "denyhosts" that at the third intent to an account failed, disables ssh for that host. url:  http://denyhosts.sourceforge.net/

2. my preferred solution: disable password login on ssh, so you will need to provide the key if you want access. that way no password based brute-force attack will affect your computer.

how to use keys for everything?
http://sial.org/howto/openssh/publickey-auth/

where to configure key-only?
/etc/sshd/sshd_conf
which lines?
ChallengeResponseAuthentication no
or, if pressent, use this one:
PasswordAuthentication no

you need to restart your sshd service after these changes, so this needs to be done locally and preferable at the console. after you restarted successfully your sshd verify you cannot ssh to the machine with passwords anymore. also assure you can connect using keys.

key based mechanism is way so much secure. and once you learn how to use ssh agent, it's easier too.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kenfcampCommented:
another thing you can do is setup a firewall rule to deny all SSH access except for your local network ip range(s) and your remote IP (assuming it's a static IP)

This can work by itself or in conjunction with the above suggestion

In addition if you have accounts that do not need to login (shell logins) I would also recommend changing their default shell to /bin/none or /bin/false if FTP access is needed. (actual file names and/or paths may differ with your dist)
0
dory550Author Commented:
kenfcamp:

Thanks for your input

Would getting  static IP  enhance my security?
Besides the expense , are there any other downsides?
Dory
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Gabriel OrozcoSolution ArchitectCommented:
downsides for having a static IP are almost none.

with the dynamic ip you are harder to locate, but only that.

you can have a dynamic ip + dynamic dns and the effect is the same.
0
kenfcampCommented:
[with the dynamic ip you are harder to locate, but only that.]

Redimida, I'd have to agree with you on that, in most cases.

However, if you're trying to block access to everybody except for one specific ip address, having a dynamic remote ip usually will mean that once your ip rotates, you'd be locked out too.

[Would getting  static IP  enhance my security?]

Not in itself no, but it can make life easier in some cases.

0
dory550Author Commented:
Hi Guys
I see that the answer to my Static IIP question is a "Definite Maybe"
Soooo
Let me see if got it straight
If I get a static IP from verizon (at home) I would be able to let my server know what is my static IP
And whenever an ssh connection is attempted  my server would match the ip it has on file with ip of the incoming connection. If it's a match the server allows the connection otherwise it is rejected
In other words static ip will make sense if I mostly connect to my office from one plece (home.)
Static ip will not make sense if travel a lot and connect from various points
Did I understand it correctly?
Dory
0
Gabriel OrozcoSolution ArchitectCommented:
you understand correctly

but that easiness is something you can do with the firewall, with ssh not even needing to know.

maybe you would want to give a second look to the keys ssh administration. it's good for what you want and does not require the purchase of a fixed ip
0
kenfcampCommented:
Even using the key suggestion (which is a good idea), you should really look at tightening the box down.

"IF" you do not intend to allow outside SSH connections from anyone other than yourself, you should tighten it down.

Leaving it open is inviting potential problems. All it will take is 1 user account with a valid shell, and a weak password and you're compermised

Though this is JMO

Ken
0
Gabriel OrozcoSolution ArchitectCommented:
mmhh... interesting.

the whole concept here is about passwords.
ssh attack, looking for weak passwords
ssh for only one ip, because of passwords
tightening your box because of passwords

the use of RSA keys (which also use passwords for them) adds an extra level of security: only your private key can ssh to the box. and nobody but you have it. and in the case you left it on some computer, it still has a password on it.

interesting how one can look into one direction for protection but not in the other.
0
kenfcampCommented:
[interesting how one can look into one direction for protection but not in the other.]

Isn't it though?

I do believe I mentioned you're suggestion was a good idea. However, while it is more secure than passwords, a users private key can still be compromised.

Rather through a firewall, or /etc/host.allow  and /etc/host.deny, services like ssh should be locked down.
0
Gabriel OrozcoSolution ArchitectCommented:
kenfcamp:
I'm sorry if my comment sound mean. I was trying to note that all the thread went by the side of locking ip addresses while dory550 still has a dynamic ip. please accept my apologies if you were offended.

Yes, it is more secure to lock ip addresses allowed to ssh, but at the same time it takes out all the flexibility he/she needs for the connection.

Maybe mixing both recommendations would do a better answer. Locking down ip addresses and using keys.

It's also good not to forget to use non standard ports for ssh (security by obscurity, which is not good since a real hacker can bypass it easily, can be a great help locking out automated scripts)
0
dory550Author Commented:
Thank you both for your input
If I read between the lines.  Absoluter safety is an illusion, No one solution is foolproof. The more you "tighten the box "  the more you are "relative safe"
So I coclude this (so far).
!. I need a static IP
3. strong passwords  
3 I need to use a private key
4. disalllow remote root login
5. disallow  remote ssh login to any user accept myself
Looks to me  like step 5 is the hardest here. . Is that where I use the "host.deny" and "host.allow" services?
Would  "host.deny" and "host.allow"  run in every login session or can an intruder somehow prevent them from running ?
If the answer to above question is "yes" then is there any other file that will always execute  no matter what?


Dory


Is  ther a 2nd line of defense where I  also filterCan I filter users







0
dory550Author Commented:

can I implement a 60 seconds interval between failed (ssh only) logins?
Dory
0
Gabriel OrozcoSolution ArchitectCommented:
Hi Dory

for 1. my recommendation is not needed, only better.

for ssh hosts.deny and hosts.allow are mandatory. there is no way a user can bypass it unless ssh itself is compromised, which is unlikely if you *also* maintain your boxes more or less up to date.

so the conclusion is yes, hosts.deny can do the trick and you are safe to use it.

Regards
0
dory550Author Commented:
Redimido
I am trying to put all those ducks in a row
Question
can I implement a 60 seconds interval between failed (ssh only) logins?
Is that practical?
If yes. What is the downside?
Dory
0
Gabriel OrozcoSolution ArchitectCommented:
I would not do that

better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.

that exactly is what denyhosts does. and is a great approach.
you can also limit new connections from your firewall to be a certain amount for a given ip (I remember have done something like that some time ago)
0
kenfcampCommented:
[better go with a tool that detects failed login attepts for ssh, and at the n-th it disables the offending ip using tcp wrappers.]

That's a very good point to bring up.

One such tool that could be used is "fail2ban"

It works with iptables, is very customizable (though the config file can be daunting the first time through)

Ken
0
dory550Author Commented:
Redimido
fail2ban looks like a  good tool  ... thank you

sorry I take a while to respond. I  have to take some time studying what you are suggesting
to understand what I am doing.

I understand that one of the steps I should take is choose a non-default port num
My router is set now to allow only ssh protocol at port range 21-22
I use the following command to connect from a Linux machine at home:
ssh -2 MyOffice.xyzdns.com
Let's say I would like change that to 8022
What steps do I have to take on the host machine to implement that?
Would it suffice to onlly change that to 3305-3306 on the router?
Thanks
Dory
 

0
Gabriel OrozcoSolution ArchitectCommented:
to move to 8022

you should edit /etc/ssh/sshd_config and modify the listen to be on 8022
or
create a rule in iptables forwarding what you receive on 8022 to localhost:22

and open your router for port 8022

to connect you would need
ssh -2 -l 8022 MyOffice.xyzdns.com

you do not need to open more ports than 8022 =)
0
dory550Author Commented:
Redimido
Thank you for your help
Dory
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.