Re: [bitfolk] The perils of opening tcp/22 to the Internet

Hi Andy et al,

> This very long email is about possible pro-active measures I could
> take to prevent customers being compromised by SSH dictionary
> attacks.
*snip*

Yes, a very long email :)

> Do you think there's any pro-active measures that would be
> acceptable to VPS customers? Typical ways to foil SSH dictionary
> attacks:
>
> 1) Only use strong passwords.

I agree - there's very little you can do about this.

> 2) Don't use passwords at all, only keys.

That wouldn't be a bad idea, but as you rightly mention, those who
aren't used to using keys (or carrying them around [bad idea?]) would
be stuck here.

> 3) Disable root login.

I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it).

> 4) Restrict the list of usernames that are valid, in combination
>   with (1) and (3).

Difficult to implement, as you say.

> 5) Install DenyHosts or Fail2Ban.

I don't think there would be anything wrong with doing this. Yes, some
people might find it controversial, but surely they can remove it if
they please.

> 6) Move sshd to another port.

More of a security by obscurity approach, but it would limit the
inbound attacks.

> More?

I don't really know how you 'filter' outbound connections (I expect
little is done) but could you set up an outbound SSH rule that dropped
any connections from a server that was making, say, 100 hundred
outbound connections in 10 seconds? Would any server have a legitimate
reason for doing this? It wouldn't stop the compromised host, but it
would limit the possibility of them compromising other hosts.

James