# Attacks via SSH



## ericmurphy (Mar 8, 2006)

I have ssh enabled on my machine for remote access. Hey, it's better than telnet, right? Anyway, I was perusing the /var/log/secure.log file, and noted a lot of failed authentication attempts against what appears to be guesses of accounts on the machine (e.g., "test," "root," "user," "admin," etc.). This is worrying, obviously.

I really do need to keep ssh access enabled on my machine. But I really only need that access from one IP address. Granted, IPs can be spoofed, but it can't hurt to restrict access via SSH to certain IP addresses. Is there a relatively straightforward way to do this? I'm planning on purchasing a hardware firewall (mainly to close ports that I need open for LAN access that should be closed for WAN access) which should be able to do it, but in the meantime, it would be nice to do it via ipfw. Can I just edit the ipfw rules file?


----------



## tomdkat (Mar 9, 2006)

You should be able to block incoming ssh connections from everywhere except for a single IP.  I can't give you the ipfw rules, but I've done this kind of thing on Linux using iptables so I imagine OS X would be able to do this using ipfw.

Maybe this site might be of help. 

Peace...


----------



## ksv (Mar 10, 2006)

You can also configure sshd to use private key authentication, which will make sshd impossible to break into with such automated «brute force» attacks. And/or block hosts after e.g. three failed attempts.


----------



## jmarcus (Mar 12, 2006)

This problem is consistant accross the board.  On my Linux machines I get about 1000 failed attempts a week.  Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Take a look.
Good luck,
James


----------



## ksv (Mar 12, 2006)

jmarcus said:
			
		

> This problem is consistant accross the board.  On my Linux machines I get about 1000 failed attempts a week.  Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.
> 
> Take a look.
> Good luck,
> James



I did not write _impossible to break into_, but _impossible to break into with such automated «brute force» attacks_.

Or should we say «everything is relative?» 

Using a 2048 bit RSA encryption without public key negotiation, there are
2^2048 options. If every attempt takes a second, the process of breaking into the system will take up to 512382770029664626152886806961408421493596249836940069002573969868161072090117498940848576413034523460310723632069666722065568860199310646484781715919081099705588491998049785828104352967872464909881685032725576615245944613182073759542080389689183321768481193747404633480586883110430393972088286388951204742546840648618536631479657768686018669058475647439851630804125533665192576622089997370469599709287435260114529485642786931722449758249328480219490385800882915259181977497317672021263906356654796478146856649236692953054382249942177172726654064662440343346391459529319343046761137725218038879273780023006398 years.


----------



## fryke (Mar 12, 2006)

Only if it's the _last_ option, right.  ... But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.

*Not talking about a specific bug here, of course.


----------



## tomdkat (Mar 13, 2006)

jmarcus said:
			
		

> This problem is consistant accross the board.  On my Linux machines I get about 1000 failed attempts a week.  Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.


Do you mean DenyHosts?  



			
				fryke said:
			
		

> But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.


I think this is a very important point to keep in mind.  You *do not* have to have the ssh daemon running to make _outbound_ ssh connections.  You need to have it running only if you want to accept ssh connections to your machine from remote.  If you always use ssh to connect to other machines, don't run sshd.

If you tunnel X over ssh, I'm not sure if you need ssh running or not.

Peace...


----------



## ElDiabloConCaca (Mar 13, 2006)

tomdkat said:
			
		

> If you tunnel X over ssh, I'm not sure if you need ssh running or not.
> 
> Peace...


Just to confirm -- that's a negative.  You do not need the sshd daemon running in order to tunnel X over ssh.


----------



## tomdkat (Mar 13, 2006)

ElDiabloConCaca said:
			
		

> Just to confirm -- that's a negative.  You do not need the sshd daemon running in order to tunnel X over ssh.


_Roger, Roger_ 

Peace...


----------

