14 Mar
2010
14 Mar
'10
9:12 a.m.
Hi Andy et al,
This very long email is about possible pro-active
measures I could
take to prevent customers being compromised by SSH dictionary
attacks.
*snip*
Yes, a very long email :)
Do you think there's any pro-active measures that
would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
I agree - there's very little you can do about this.
2) Don't use passwords at all, only keys.
That wouldn't be a bad idea, but as you rightly mention, those who
aren't used to using keys (or carrying them around [bad idea?]) would
be stuck here.
3) Disable root login.
I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it).
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
Difficult to implement, as you say.
5) Install DenyHosts or Fail2Ban.
I don't think there would be anything wrong with doing this. Yes, some
people might find it controversial, but surely they can remove it if
they please.
6) Move sshd to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks.
More?
I don't really know how you 'filter' outbound connections (I expect
little is done) but could you set up an outbound SSH rule that dropped
any connections from a server that was making, say, 100 hundred
outbound connections in 10 seconds? Would any server have a legitimate
reason for doing this? It wouldn't stop the compromised host, but it
would limit the possibility of them compromising other hosts.
James