The Easiest Way to prevent SSH attacks

Yes, I discovered the easiest way to prevent SSH attacks om Linux/Unix boxes -- you turn simply it off! There are some systems where I am the only person who ever uses SSH to connect to them to a shell prompt so I just kill the daemon and make sure it is not set to automatically start on reboot. So what happens when I want to connect? Well, I have a little CGI script I wrote to turn SSH back on (using a hidden password protected URL), and then I log on, and then the SSHD daemon gets shut down again. (Once you are connected you do not need sshd to be running.) So people cannot break through the SSHD server since it simply is not running, and I just have it run for 5 minutes for me to logon whenever I want. Simple, isn't it? Another similar tactic to drastically reduce attacks is to set crontab to turn on and off sshd for specific times. If nobody ever uses SSH at 2am Monday morning, why does it need to be running then? The only things connecting to the SSHD server then are international SSH cracking scripts! So you can shut down sshd for whatever times you know no legitimate user should be using it, and then start it back up when folks are more likely start logging in again. Since these are also often the times hackers and crackers set their scripts to run (when most sysadmins are at home, asleep or having actual lives), you can reduce your risk substantially of being hacked. You should still use other protective measures (hosts.allow/hosts.deny files, iptables, denyhosts, non-standard ports and multiple strong passwords), but this is just one more way to protect yourself.

Comments

Anonymous said…
Hi, Good tip.

Breakinguard is also a useful tool for using iptables to automatically block users who try too many bad passwords for SSH/FTP or any other service that can write bad password attempts to the syslog

Google for Breakinguard or goto SourceForce to search for it.
Anonymous said…
By doing that, you're shifting the potential for abuse from SSH to Apache. Unless you're already running a web server, I don't recommend using a URL to turn sshd on and off. Your closing remarks of using hosts.allow/deny and iptables to restrict the allowed incoming IP addresses are a better solution.

Popular posts from this blog

Trying out the L'Ecole Culinaire Presentation Room restaurant

Not all Frosted Window Films are the same!

BMI & BMR Calculator (Body Mass Index and Basal Metabolic Rate)