[lug] Re: What to do about SSH attacks

[Sean Reifschneider]

On Fri, Oct 29, 2004 at 09:37:32PM -0600, Lee Woodworth wrote:
>Looks good. Is the reason you are restricting sshd to using unused 
>privileged ports is that it makes it easier to guarantee the port will 
>be free on a reboot? Are there other reasons not to use the full port 

In the past at least, SSH has acted differently when using a non-privileged
port.  This may have changed in OpenSSH, but it's just habit.  For one
system we have it on a privileged non-WKS port, then use NAT to also make
it available on a higher port.  One users firewall was blocking connections
to the privileged port.

>range? It seems like the privileged port range is scanned more than the 
>complete range, so using higher ports may discourage the casual attackers.

I think the privileged WKS port is the 90% solution.  For the 100%
solution, set up a VPN and make SSH only available over the VPN.  ;-)

>Any thoughts about disabling version 1 of the SSH protocol alogether? 
>OpenSSH, Putty and F-Secure all support Version 2, so my clients haven't 
>had problem with version 1 being disallowed.

Yeah, I'm just as happy disabling SSH 1.

>If you have internal/external interfaces on a gateway machine, it may be 
>worthwhile to run two sshd instances. One listens on port 22 on the 
>internal net only (see the ListenAddress directive) and could allow 
>passwords (if you trust the internal machines). The other listens on a 
>non-standard port on the external interface and only allows public keys.

Sounds complicated.  Might as well be consistent, especially if it means
you've got a more secure setup as well.

Sean
-- 
 The early bird may get the worm, but the second mouse gets the cheese.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin
      Back off man. I'm a scientist.   http://HackingSociety.org/