joeypesci Posted January 25, 2009 Share Posted January 25, 2009 I have SSH setup on my machine at home with a rock hard password :) I hope, but I notice in the event logs in my computer, shit loads of attempts to guess a user name and password. Is there anyway to prevent this bar changing the port I've got it setup on? I have to have it on port 22 'cause it's the only open port that appears to work at work. I've got Endian firewall setup but not sure if there is an option on that to auto block IPs if they attempt an attack every few seconds (as they are every second in the logs.) Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 25, 2009 Share Posted January 25, 2009 If you will only ever access it from work, and your company has a IP range or static IP address, make it only accessible from this (range of) IP(s) with a firewall rule. If your company is on a dynamic IP range, allow that whole range. Even applying a rule that blocks all IPs that don't originate (according to whois) from with in your country would put a massive plug in this. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted January 25, 2009 Author Share Posted January 25, 2009 Thanks. Know of any guides to do what you said :) I'm still a bit of a noob really. Only got the SSH setup via a guide. Quote Link to comment Share on other sites More sharing options...
digip Posted January 25, 2009 Share Posted January 25, 2009 Thanks. Know of any guides to do what you said :) I'm still a bit of a noob really. Only got the SSH setup via a guide. That depends on the OS and firewall software you are using, but you will want to add a trusted ip range to access that port number and block all other resuests for that port. Also block any ICMP requests and replies, so you can at least try to stealth the port from being seen with pings and port scans. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted January 25, 2009 Author Share Posted January 25, 2009 I'm using a combo, which maybe overkill of the router firewall (Draytek Vigor2800VG), Endian Firewall, then for Outbound monitoring on machines I have Comodo as it lets me control specific programs that request net access. And I'm on XP SP3, using COPSSH. Quote Link to comment Share on other sites More sharing options...
digip Posted January 25, 2009 Share Posted January 25, 2009 I'm using a combo, which maybe overkill of the router firewall (Draytek Vigor2800VG), Endian Firewall, then for Outbound monitoring on machines I have Comodo as it lets me control specific programs that request net access. And I'm on XP SP3, using COPSSH. Some might say its overkill, but I'm not one of them. I think its best to have at least a software firewall, but also a hardware firewall or router setup. Reason being, if someone compromises your hardware through some flaw, like uPnp or misconfiguration, your pc will at least have a second line of defense. There have been plenty of drive by attacks on routers with built in firewalls that have both disabled them as well as reconfigured their DNS at the same time. This is also another reason I manually set upmy NIC's DNS in windows to use OpenDNS. I'm using ZoneAlarm Pro Suite as my software firewall and I have different settings for Trusted and Internet addresses. Not sure how to do that in Comodo or Endian, but I'm sure they would have some way to set up these rules. Google is your friend: http://www.endian.com/fileadmin/documentat...e/en/index.html http://kb.endian.com/entry/28/ https://forums.comodo.com/help_cis-b127.0/ http://www.personalfirewall.comodo.com/Com..._User_Guide.pdf http://www.personalfirewall.comodo.com/Com..._User_Guide.pdf Quote Link to comment Share on other sites More sharing options...
ADM1NX Posted January 25, 2009 Share Posted January 25, 2009 You could try this. It only allows people to connect if they have the proper key. http://www.g-loaded.eu/2005/11/10/ssh-with-keys/ Quote Link to comment Share on other sites More sharing options...
joeypesci Posted January 25, 2009 Author Share Posted January 25, 2009 I'll have a look at those thanks. Quote Link to comment Share on other sites More sharing options...
stingwray Posted January 26, 2009 Share Posted January 26, 2009 Another option is that you can block IPs on a certain number of incorrect login attempts. This is what I did when I was running an external SSH server. I set it as 5 attempts and then banned forever (or at least until I would unbanning it), but the number of attempts was reset every two hours. So you could try 4 times every two hours without having to come to me to say sorry for getting yourself blocked. Yes its open to some misuse and not perfect but in my situation it worked perfectly. If you wanted to have fun you could set up a HoneyPot, which given a number of incorrect tries would take over and then mirror the traffic back to them, record any commands and you can watch them brute force themselves. Quote Link to comment Share on other sites More sharing options...
taiyed14 Posted January 26, 2009 Share Posted January 26, 2009 As ADM1NX said, you should set it up with Public Key Authentication. Watch episode 416. Changing the port probably wouldn't help, but its always a good idea to change the port. Set your SSH server to use port 443, that port should definitely be open while behind your work's firewall/router. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted January 31, 2009 Author Share Posted January 31, 2009 Another option is that you can block IPs on a certain number of incorrect login attempts. This is what I did when I was running an external SSH server. I set it as 5 attempts and then banned forever (or at least until I would unbanning it), but the number of attempts was reset every two hours. So you could try 4 times every two hours without having to come to me to say sorry for getting yourself blocked. Yes its open to some misuse and not perfect but in my situation it worked perfectly. If you wanted to have fun you could set up a HoneyPot, which given a number of incorrect tries would take over and then mirror the traffic back to them, record any commands and you can watch them brute force themselves. I wanted to do something like that but couldn't find an option in Openssh or on Endian. I watched the shows but they appeared to skim over importing the key over to putty so I got lost. I also don't understand as I think mine is setup to accept a key and passphase yet I haven't important the public key into putty yet can still connect. Quote Link to comment Share on other sites More sharing options...
SamjackBlade Posted March 2, 2009 Share Posted March 2, 2009 Did you ever get things working? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.