I had email from someone today whose system was hacked, apparently by a dictionary attack over ssh. They overwrote most of his hard drive with "DIE SCO DIE". He said there were "over 8000 root login attempts and another 6000 for various other names".
Several things come to mind immediately. First, you shouldn't allow root logins over ssh anyway. The
in /etc/ssh/sshd_config should be uncommented and changed to no. Second, you should have an AllowUsers line, and if possible, limit that to names that aren't obvious. For example, I wouldn't use "tony" or "apl". I might use "mghtrey" (though I don't), because that's a completely made up name. With that line, only the listed users are allowed to login with ssh at all. That includes root even if PermitRootLogin isn't turned off, but I set both anyway. Exclusionary duplication never hurts.
Next, don't have passwords susceptible to dictionary attack. Letters, numbers, and punctuation are a must. Do NOT use the same passwords on multiple servers and do not allow user equivalency or ssh_agent unless you absolutely have to have it.
Finally, don't let someone have 8,000 chances at guessing your password. I have two limitations set. One is the
which (from the man page):
Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- bility of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases lin- early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60).
But I don't stop there on my most critical servers. I also have
auth required /lib/security/$ISA/pam_tally.so no_magic_root onerr=fail account required /lib/security/$ISA/pam_tally.so onerr=fail file=/var/log/faillog deny=1 no_magic_root even_deny_root_account
in my /etc/pam.d/system-auth file. That kills login if you type a bad password just twice. I reset it with a cron job every hour during the day when I'm working in case I screw up twice (" /sbin/pam_tally --reset") but not at night.
So, for someone to break in with ssh, they first have to know the one account that allows ssh at all and they have exactly two chances to guess the password - miss those two and pam locks them out. Keep on trying, and ssh itself will also lock you out eventually.
You really cannot be too careful now. If you don't need ssh outside of working hours, turn it off with a cron job. The "bad guys" are constantly hammering at our servers; there's no reason to make it easy for them.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-03-22 Tony Lawrence
Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. (Helen Keller)