[NCLUG] iptables ssh protection, but with Linksys WRT54G DD-WRT?

Sean Reifschneider jafo at tummy.com
Sun Apr 16 12:51:51 MDT 2006


On Sun, Apr 16, 2006 at 11:27:29AM -0600, Jeffrey D. Means wrote:
>without password access, PKI only for logins along with changing my port
>to 2600.  Hope this helps someone a little.

Moving the port was something I brought up on Tuesday at the meeting,
because I've been doing it since the mid-'90s.  It's easy enough to
port-scan for SSH since it pushes out the banner, but moving it to a
different port has prevented most of the current noise related to password
cracking attacks.

I recommend using a privileged port, because running on a non-privileged
port can allow a non-privileged attacker to bind to it and do various kinds
of interception attacks.  Without password authentication it reduces the
impact, but at the least it probably allows for certain kinds of man in the
middle attacks.

Usually I will allocate new ports by doing:

   guin:~$ echo $[RANDOM%1024]
   925
   guin:~$ grep 925/tcp /etc/services
   discovery-port  1925/tcp                        # Surrogate Discovery Port
   zmp             3925/tcp                        # Zoran Media Port
   guin:~$

Checking /etc/services for the port being allocated for other things.  In
thise case, 925 isn't used.

Of course, use ~/.ssh/config to make logging in to this machine easy:

   Host testbox testbox.example.com
      Hostname testbox.example.com
      Port 925

That way you can "ssh user at testbox" or "ssh user at testbox.example.com",
without having to specify the "-p925" option to ssh or "-P925" option to
scp.

Of course, the best way to lock down your SSH is to limit it to only
accepting connections from your OpenVPN connection.  The OpenVPN server can
be set up to run on UDP and not respond to packets which aren't properly
signed, so port-scanning can't detect it unless you have REJECT on other
UDP ports.

Thanks,
Sean
-- 
 "I was on IRC once and got mistaken for Dan Bernstein. I still have
 nightmares."  -- Donnie Barnes
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability




More information about the NCLUG mailing list