The Easiest Way to prevent SSH attacks

Yes, I discovered the easiest way to prevent SSH attacks om Linux/Unix boxes -- you turn simply it off! There are some systems where I am the only person who ever uses SSH to connect to them to a shell prompt so I just kill the daemon and make sure it is not set to automatically start on reboot. So what happens when I want to connect? Well, I have a little CGI script I wrote to turn SSH back on (using a hidden password protected URL), and then I log on, and then the SSHD daemon gets shut down again. (Once you are connected you do not need sshd to be running.) So people cannot break through the SSHD server since it simply is not running, and I just have it run for 5 minutes for me to logon whenever I want. Simple, isn't it? Another similar tactic to drastically reduce attacks is to set crontab to turn on and off sshd for specific times. If nobody ever uses SSH at 2am Monday morning, why does it need to be running then? The only things connecting to the SSHD server then are international SSH cracking scripts! So you can shut down sshd for whatever times you know no legitimate user should be using it, and then start it back up when folks are more likely start logging in again. Since these are also often the times hackers and crackers set their scripts to run (when most sysadmins are at home, asleep or having actual lives), you can reduce your risk substantially of being hacked. You should still use other protective measures (hosts.allow/hosts.deny files, iptables, denyhosts, non-standard ports and multiple strong passwords), but this is just one more way to protect yourself.

Comments

Anonymous said…
Hi, Good tip.

Breakinguard is also a useful tool for using iptables to automatically block users who try too many bad passwords for SSH/FTP or any other service that can write bad password attempts to the syslog

Google for Breakinguard or goto SourceForce to search for it.
4:34 AM
Anonymous said…
By doing that, you're shifting the potential for abuse from SSH to Apache. Unless you're already running a web server, I don't recommend using a URL to turn sshd on and off. Your closing remarks of using hosts.allow/deny and iptables to restrict the allowed incoming IP addresses are a better solution.
12:40 AM
Post a Comment

Popular posts from this blog

BMI & BMR Calculator (Body Mass Index and Basal Metabolic Rate)

Image
My wife has been researching type 2 diabetes and recently checked a book out of the library which included a body mass index (BMI) chart much like the one pictured here. Whereas it is fairly easy to follow, I, of course, think it must be converted to an online calculator! However, when I checked the Internet, there were already a billion of them so I had to make one that was different. So my lovely BMI BMR calculator accepts either inches or centimeters for your height and pounds or kilograms for your weight and calculates not only your BMI, but also your BMR (basal metabolic rate) which determines how many calories you should consume! So I made a spiffy "all in one" healthy body indicator calculator which not only determines how underweight or overweight you are, but also tells you how many calories you should consume to maintain or improve your ideal weight. 
Read more

Trying out the L'Ecole Culinaire Presentation Room restaurant

Image
We had been seeing the ads for the restaurant at L'Ecole Culinaire and since we live so close by we thought we would try it out. We had always enjoyed dining out at cooking or hotel schools like the CHIC in Chicago and the Statler at Cornell where we went to college. Since we still love to go out and eat here in St. Louis , we ventured over to their restaurant on the first day they were open for lunch. The first thing we noticed is that they do not have much parking! They really need to let patrons know where they are supposed to park. The restaurant itself is small but very well attended. There was one fellow who kept straightening all the centerpieces and place settings on the tables, and we always saw one or two student workers milling about. The lunch menu was small and the choices did not appear overly "gourmet". The special of the day was a bison burger stuffed with cheese, and other choices picked by my group included a club sandwich, a "margherita" pi
Read more

Not all Frosted Window Films are the same!

Image
We live in an older home with a lot of issues and one of them concerns our back door to our patio from our sunroom. The door has double paned glass on it, but unfortunately the seal has broken so you can see moisture collect inside of it. We decided the easiest way to "remedy" the problem was to cover the window with some "frosted" film so we did not have to see the moisture condensing between the panes. But the question was, what film? There are a bunch of them available so we had to select something to try on the door. The first place we tried was our nearby Lowe's store which had a bunch of Gila brand film. We selected what seemed like the typical adhesive based door sized  film that cost about $25 after tax. We thought it could not be that hard to put up and look nice on our door. So one day my wife ran out and purchased it at Lowe's and we commenced to install it on our door window. We made our own soapy water solution and followed the directions
Read more