SSH hacked?

Kent Borg kentborg at borg.org
Tue Jan 13 16:45:05 UTC 2009 

NoOp wrote:
> [on moving sshd to different ports being a silly distraction] Really? I reckon that's your opinion, but I'd have to disagree.
>   

Passwords are hard to manage. Every system that issues you an account
seems to think that that is your only password in the world. But it
isn't. We all have a zillion accounts, all with passwords or PINs, and
managing them is difficult--so the obvious reaction is to have a small
set of passwords and reuse (or recycle) them on multiple accounts.

My first suggestion for keeping ssh secure was to have long, quality
passwords that are not recycled. Judging from the fact that I am the
only person I know who does not recycle passwords, this is a RADICAL
suggestion! Yet it prompted no reaction. People kept talking about
moving sshd to different ports.

Conclusion: Moving sshd to a different port is a distraction from real
issues of security. (Like the old joke about the drunk looking for his
keys under the street light because it is easier to see there--no matter
that he dropped in the dark alley.)

If you have a quality pasword that you don't give to others (that is,
you don't recycle on different systems), a maintained system is NOT
vulnerable to a brute force attack. Repeat, it is NOT vulnerable to a
brute force attack. Period. Moving sshd to a different port accomplishes
nothing good but shrinking your log files a little, but it does risk
doing damage: if it gives you a false sense of security such that you
continue to use poor passwords or tell others your passwords (by reusing
them elsewhere), that complacency will make matters worse.

Is your password both high quality and secret? Well, IS it??

If yes: Then quit worrying. Trust ssh to do its job.

If no: Get a better password. And this time don't give anyone else a
copy of it (i.e., don't reuse it elsewhere).


Instead of wasting your time hiding your sshd where any port scan will
find it, ask yourself the above question, honestly answer it, and act on
the answer.


A serious flaw in my harping on using quality passwords is that even if
you have wonderful long passwords, if you have guests on your system
with poor passwords, their accounts will still be vulnerable. A good way
to improve this is to rate-limit connections. Google for "ssh brute
force iptables". Something like this might be a good idea:

  sudo iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
  sudo iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP


Do it at every boot (out in /etc/rc.local, maybe). It will automatically
slow down brute force attempts from any given IP address to 8 tries in a
minute. Plenty to let in even the most sloppy password typer (good
passwords that are long are easy to type wrong), but it makes even
crappy passwords hard to guess. I haven't done this because if I get it
wrong I could get locked out, plus I am lazy, plus I would also want to
do additional rules to protect IMAPS (probably easy) but also
Squirrelmail (maybe not so easy). Note that sshd does rate-limit
already, just not as strictly as you might want.


-kb


P.S. Keeping your password secret includes not typing it on a spyware
loaded computer that is recording your keystrokes. That is why I don't
use my Windows computer at work to log into my system at home, I don't
think that computer is infected, but I don't trust Windows in general, I
use my personal Ubuntu notebook instead.

More information about the ubuntu-users mailing list