Blocking attacks on port 22

Q I am going to work abroad for a couple of months and I want to have remote access to my network indoors. So I installed FreeNX on SUSE 9.3 and forwarded port 22 on my Netgear router to the machine, and with no effort at all I was able to bring up my desktop by connecting through the internet to my local computer, look at my emails and start any application available on the box. This morning looking at the /var/log/messages file I saw that someone is attacking port 22. There were hundreds of messages from sshd for different users saying Invalid user <xxx> from :: ffff:195.90.196.20'. There are only two registered users on my system that can log in: root and my user ID, which looks nothing like anything a hacker can guess. I also use strong passwords with upper-and lower-case letters as well as numbers, and no dictionary words. Should I be worried about the attacks? Is there a way to tell sshd to refuse connections after x failed logons in y seconds, or should I just monitor it and drop packets on an IP address basis?

A Such attacks are commonplace if you expose port 22 to the world at number of steps you can take to reduce the chances of someone getting in. Strong passwords are the first step. As you are using SSH for remote desktop use, you don't need root access, so disable that in /etc/ssh/sshd_config. Find the line

PermitRootLogin yes

and change the yes to no to block root access. You can still have root access if you need it by connecting as your user and using su to switch to root, but a cracker would have to first crack your username, then your password and then the root password. Alternatively, change the yes to without-password. This allows root logins, but only if you have an authorised key. See the man pages for ssh and ssh-keygen for details on generating and using keys like this. You could require all users to have a key, but this would mean copying your key to any computer you needed to use to log in. This is the best option if you will be using your own laptop via whatever internet connection you have available, large. But there are a but won't be much use if you plan to use other computers. You enable this in the configuration file with

PasswordAuthentication no

You could also run SSH on a non-standard port, something above 1024, by changing the 'Port 22' line in sshd_config and passing the new port number to nxclient or knx. This provides an extra layer of complication for the crackers to work through, and significantly cuts down on the number of logged access attempts. There are a number of programs that will monitor log files and block IP addresses that attempt brute force attacks on SSH or other ports. You could look at http://breakinguard.sourceforge.net, http://daemonshield.sourceforge.net or www.csc.liv.ac.uk/~greg/sshdfilter.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar