New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SSH Security Article Idea
I'm running a honeypot for a while now and it blows me away how many attempts there are. As in, 8000 in 7 days, 92% chinese IP's. Therefore I now block chinese IP everywhere, not my intended target. (See http://lowendtalk.com/discussion/32603/block-china-from-a-vps to find out how to do that as well )
So therefore I think I'm going to write an article about SSH security. It will go over the statistics gathered by the honeypot and it will feature at least the following topics:
SSH Keys instead of passwords
- with ssh-agent
PermitRootLogin without-password #if you really must
- SSH on a different port. Not much security, less annoying logging however
- Fail2Ban / DenyHosts
- CSF + LFD / iptables
- Use a VPN for SSH
- Port Knocking
- Only allow a specific IP /IP's
- Block China
- AllowUsers / Match blocks
Are there any other thing you would like to see in an article like that?
Comments
Make a script to automate all of this!
Looking forward to it. + A script to automate it would be AWESOME.
Does anyone have the ASNs of china that are causing all the problems, you can probably use my ASN block list.
https://cdn.content-network.net/tools/asn-blocklist/
If anyone has some other ASNS that need to be listed let me know.
Yeah why read or learn anything, just run a huge script without understanding what it does exactly, if something fails, just reinstall the VPS and try again, RIGHT GUYS.
Could have stopped at these two, others listed are just security theater. And don't block China (at least not from accessing ports 80/443), there's a lot of nice guys/girls among them.
I agree with this
It'll just be ssh. Thats what the they seem to like. Or, maybe I'll list both, nullroute all the things or just ssh.
Any more suggestions?
Awaiting for the first draft! : - )
Why would you make such a racist move like blocking entire country's if you know what you are doing security-wise? Just setup strong security mechanisms and you won't have to worry about who is connecting.
It fills up your log with useless crap.
And you think that this is worth blocking entire country's for? wow lol, just make a cronjob that gets rid of the logs once in a while. Couldn't you come up with something like that yourself?? if you have setup proper security mechanisms then you wouldn't even need to read those auth logs.
I doubt he's talking about blocking China altogether. Only SSH port, I believe.
Oh right. Well, its still a unnecessary and racist thing to do.
China is full of hackers (?) because of lack of abuse handling from their major ISPs. It's not really racism.
It's not just the fact the logs fill up, it's the fact that 92% of all IP's that brute force a server in my tests are from chinese providers. On 8000 brute forces in a week that is a lot. Not just on the honeypot, but on a lot more boxes.
Plus, china is probably not most people's intended target, at least not mine, so it's fine to block them for me.
Well, for just the SSH port there is no reason to leave it open at all. Just whitelist a couple of static IPs you have, block everything else.
Not a problem:
http://lowendtalk.com/discussion/comment/697183/#Comment_697183
The only true problem would be that little bit of bandwidth that goes to waste. Again, setup proper and strong security mechanisms and you dont need to block an entire country.
No, the problem is that there are a lot of brute force attempts coming from there. It's not the potential damage or attempted damage that is the problem, the hacking attempts are the problem. Statistics show me that over 90% of attempts are from china, the normal visitors that come from china are 0% (none) so blocking the entire country is a good solution on top of the others.
Doing selective reading much? well, discussing with you is pointless.
Keep up the ignorance/incompetence! - way to go.
Selective responding. You continue to state "the only true problem", which is wrong.
Regardless of the security setup you have, if you can stop the most attacks by simply nullrouting a boatload of chinese ranges, on top of the existing strong security setup you have, you've tackeld the problem better. As said, security is a layered approach.
What brute force attempts are you talking about, if you have set up a key-only based SSH authentication (and disabled the password-based one)?
Regardless, it's still a good idea to restrict SSH port to accept only connections from your actual IPs that you use (at home/work/etc), add to that all your other VPSes and hosts, or better yet, make SSH IPv6-only and then also limit to specific IPv6 subnets (which tend to be static much more often than you get static IPv4s). Nothing to do with blocking China whatsoever. Just block all those people who are not you. ^^
Note that this limiting is still unrelated to any "brute-force" attempts (as said those aren't a concern with key-based auth), it's mostly to safeguard yourself from possible 0-day catastrophic flaws in SSH (similar to the Heartbleed bug).
CPU will still get hammered even if the attempts are designated to fail.
This. I have SSH locked down to only be accessible via my VPN an it's cut down on log garbage and csf alerts by quite a bit.
If he never needs to connect to his box via SSH from a designated country I don't understand why it would be racist? Sure its more complex than a whitelist but it is one approach.
@Raymii, I face the same challenges; I get a TON of hacking & spam attempts daily against numerous domains/sites, with most of the attacks emanating from China (but honestly a fair share from Ukraine, Poland, Brazil, France, Germany and others as well).
Besides getting your security sh**t together, I think the REAL challenge is finding some legal way to monetize traffic from China. If 1% of 1.3 billion just paid you $0.25 .... well you get what I am saying. :-)
I used to block many of their subnets (and still block some) but typically I just study what they do, write new IDS rules to block the worst offenders, and report them (to blacklists) via various methods/modules. If there are a few from the same subnet, then the subnet becomes a candidate for permanent blocking at the firewall. A mix of automatic & manual that is quite effective.
And this is not directed to just China, this is directed to ANYONE who can't behave themselves on any assets I control.
EDIT: BTW, good luck on the article.
Cheers
Wrong. chinese government doesn't do anything to stop their people from hacking other countries.
I haz rootlogin on my ssh server
(with ssh keys ofc)
Ultimate paranoid tool i'm using:
What's that called? Lookspretty darn nice.
https://www.duosecurity.com/docs/duounix
Looks pretty nice, however you should be extremely weary of handing over root access control to a 3rd party company. What if their servers are down?