Monday, December 6, 2010

Security solution for preventing remote ssh brute force attack on OpenSUSE Linux

If you see a lot of brute force attack on your /var/log/messages file,
you may want to beef up your security. I followed these steps to keep
the nasty intruders on bay.

System-wide OpenSSH Configuration for clients is located in the file
/etc/ssh/sshd_config. Edit the file to change the default parameters.

AllowUsers username1 username2
The option AllowUsers specifies and controls which users can
access ssh services. Multiple users can be specified, separated by

PermitRootLogin no
The option PermitRootLogin specifies whether root can log in using
ssh. Never say yes to this option.

Port 22
The default TCP port used by SSH is 22. It is understandable
therefore that practically all anonymous SSH brute force attempts are
only targeting TCP port 22. While we do not generally consider running
the service on an alternative port a reliable measure to enhance SSH
password authentication security long-term, it can offer some limited
protection. We consider this a short term hack and ideally a site with
a sound security posture would not need to change this option.

(Now you would need to ssh with -P port# flag to ssh)

MaxStartups 5
Specifies the maximum number of concurrent unauthenticated con-
nections to the sshd daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10.

LogLevel INFO
The option LogLevel specifies the level that is used when logging
messages from sshd. INFO is a good choice. See the man page for sshd
for more information on other possibilities.

No comments:

Post a Comment