2006 Nov 23 - Thu
SSHD Intrusion Prevention
First version: 2006/11/23
There are many 'bots out on the internet that scan for linux hosts and attempt automated
sign-ins to machines using common usernames and dictionary passwords. It is tough to lock
those bots out but still allow user's to sign into a machine.
To close that loophole in a system's security, there are a couple of things to do. First
of all, be sure that telnet access to a machine has been turned off. Telnet is is not a
secure remote access technology as all traffic, including passwords, is transmitted in the
clear.
The alternate form of remote console access to a machine is through an ssh client. There
are a number of primary ssh protocols: ssh1 and ssh2, with the second being more secure
than the first. With the ssh daemon running on a machine, in its standard configuration,
the bots can still attempt username and password scans on a machine, and possibly through
luck of the draw, gain access. Even though passwords and usernames are encrypted, it
doesn't prevent the bots from trying them anyway.
In a related article regarding Putty
SideKicks, I wrote an article about how to create a public/private key-pairs. This
key-pair concept is required for implementing this solution.
Make sure the authorized_keys file in the user's .ssh directory has been updated with
their public key. Then, in the sshd_config file, there is an entry called
'PasswordAuthentication'. It is typically set to 'yes'. Set it to no, and restart the sshd
daemon.
This will prevent all password based logins to a server. Only users with pre-arranged
public/private key-pairs will be allowed access to the server.
This closes down one form of unauthorized access to a server. However, nother remotely
accessible applications on a server still need evaluation to determine their risk in permitting
server intrusions.
|
