[NCLUG] iptables ssh protection, but with Linksys WRT54G DD-WRT?
Sean Reifschneider
jafo at tummy.com
Wed Apr 12 15:10:38 MDT 2006
On Wed, Apr 12, 2006 at 02:09:14PM -0600, Benson Chow wrote:
>First off, thanks Hugh for the presentation. I was wonderring what people
>were doing with all these annoying ssh attempts, this surely couldn't be
>an issue I'm fighting myself.
I've been running SSH on a non-WKS port since mid 1995. At that time there
wasn't really an issue with running on the WKS port, but there were plenty
of BIND and Sendmail issues around then and I decided just to make it a
little harder. That has served me well. Like I said last night, it's
really easy to find the SSH port, because it announces what it is, but just
having it on a non-WKS port seemes to have prevented most of the problems.
I also tend to run with no password authentication as well though. One
thing that I just realized, Hugh said to look at the
"PasswordAuthentication" sshd config option. Additionally, on Linux, you
need to also change "UsePAM" to "no", or it will still do password auth. I
didn't think of that last night...
An even better option for protecting SSH is to set up an OpenVPN and only
allow SSH access via the VPN. OpenVPN can be configured to use UDP packets
and only respond to packets that are appropriately signed during the
connection setup phase, so you can't even scan for the service.
And, you can install OpenVPN on your Linksys even... Though I'd recommend
just having one or two OpenVPN systems that you connect to, and then only
allowing SSH access from them. You probably don't want to manage OpenVPN
connections to every machine on your network...
Thanks,
Sean
--
The only winner in the War of 1812 was Tchaikovsky
-- Solomon Short
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the NCLUG
mailing list