SSH

[joeypesci]

I have SSH setup on my machine at home with a rock hard password :) I hope, but I notice in the event logs in my computer, shit loads of attempts to guess a user name and password. Is there anyway to prevent this bar changing the port I've got it setup on?

I have to have it on port 22 'cause it's the only open port that appears to work at work. I've got Endian firewall setup but not sure if there is an option on that to auto block IPs if they attempt an attack every few seconds (as they are every second in the logs.)

[Sparda]

If you will only ever access it from work, and your company has a IP range or static IP address, make it only accessible from this (range of) IP(s) with a firewall rule. If your company is on a dynamic IP range, allow that whole range.

Even applying a rule that blocks all IPs that don't originate (according to whois) from with in your country would put a massive plug in this.

[joeypesci]

Thanks. Know of any guides to do what you said :) I'm still a bit of a noob really. Only got the SSH setup via a guide.

[digip]

Thanks. Know of any guides to do what you said :) I'm still a bit of a noob really. Only got the SSH setup via a guide.

That depends on the OS and firewall software you are using, but you will want to add a trusted ip range to access that port number and block all other resuests for that port. Also block any ICMP requests and replies, so you can at least try to stealth the port from being seen with pings and port scans.

[joeypesci]

I'm using a combo, which maybe overkill of the router firewall (Draytek Vigor2800VG), Endian Firewall, then for Outbound monitoring on machines I have Comodo as it lets me control specific programs that request net access. And I'm on XP SP3, using COPSSH.

[digip]

I'm using a combo, which maybe overkill of the router firewall (Draytek Vigor2800VG), Endian Firewall, then for Outbound monitoring on machines I have Comodo as it lets me control specific programs that request net access. And I'm on XP SP3, using COPSSH.

Some might say its overkill, but I'm not one of them. I think its best to have at least a software firewall, but also a hardware firewall or router setup. Reason being, if someone compromises your hardware through some flaw, like uPnp or misconfiguration, your pc will at least have a second line of defense. There have been plenty of drive by attacks on routers with built in firewalls that have both disabled them as well as reconfigured their DNS at the same time. This is also another reason I manually set upmy NIC's DNS in windows to use OpenDNS. I'm using ZoneAlarm Pro Suite as my software firewall and I have different settings for Trusted and Internet addresses. Not sure how to do that in Comodo or Endian, but I'm sure they would have some way to set up these rules. Google is your friend:

http://www.endian.com/fileadmin/documentat...e/en/index.html

http://kb.endian.com/entry/28/

https://forums.comodo.com/help_cis-b127.0/

http://www.personalfirewall.comodo.com/Com..._User_Guide.pdf

http://www.personalfirewall.comodo.com/Com..._User_Guide.pdf

[ADM1NX]

You could try this. It only allows people to connect if they have the proper key.

http://www.g-loaded.eu/2005/11/10/ssh-with-keys/

[joeypesci]

I'll have a look at those thanks.

[stingwray]

Another option is that you can block IPs on a certain number of incorrect login attempts. This is what I did when I was running an external SSH server. I set it as 5 attempts and then banned forever (or at least until I would unbanning it), but the number of attempts was reset every two hours. So you could try 4 times every two hours without having to come to me to say sorry for getting yourself blocked.

Yes its open to some misuse and not perfect but in my situation it worked perfectly.

If you wanted to have fun you could set up a HoneyPot, which given a number of incorrect tries would take over and then mirror the traffic back to them, record any commands and you can watch them brute force themselves.

[taiyed14]

As ADM1NX said, you should set it up with Public Key Authentication. Watch episode 416. Changing the port probably wouldn't help, but its always a good idea to change the port. Set your SSH server to use port 443, that port should definitely be open while behind your work's firewall/router.

[joeypesci]

Another option is that you can block IPs on a certain number of incorrect login attempts. This is what I did when I was running an external SSH server. I set it as 5 attempts and then banned forever (or at least until I would unbanning it), but the number of attempts was reset every two hours. So you could try 4 times every two hours without having to come to me to say sorry for getting yourself blocked.

Yes its open to some misuse and not perfect but in my situation it worked perfectly.

If you wanted to have fun you could set up a HoneyPot, which given a number of incorrect tries would take over and then mirror the traffic back to them, record any commands and you can watch them brute force themselves.

I wanted to do something like that but couldn't find an option in Openssh or on Endian.

I watched the shows but they appeared to skim over importing the key over to putty so I got lost. I also don't understand as I think mine is setup to accept a key and passphase yet I haven't important the public key into putty yet can still connect.

[SamjackBlade]

Did you ever get things working?