SSH is by default very strong, and since a long time without critical bugs. It has strong protection against various hacks and known vulnerabilities. For instance SSH has a password retry wait time of (default) five seconds. This makes the time for brute force attacking an SSH-server very long and not effective. However, sometimes script-kiddies will fork their hacking program making multiple processes of the brute force attack. Sometimes they are able to fork it off upwards of 1000 attempts every 5 seconds. This drastically minimizes the time to crack short passwords.
I think SSH is secure enough, but there is always a way to make it more secure.
Install knock daemon:
aptitude install knockd
Don’t try to start it you will get this warning:
knockd disabled: not starting. To enable it edit /etc/default/knockd (warning).
rhea ~ # vim /etc/default/knockd # START_KNOCKD=1
1 2 3 4 5 6 7 8 9 10 11
rhea ~ # cat /etc/knockd.conf [options] logfile = /var/log/knockd.log [opencloseSSH] sequence = 5555,7777,9999 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Knock to get access to server rhea:
id@tower:~$ knock rhea 5555 7777 9999
Use flag -v to be verbos
You could use this tiny firewall to test knocking;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
iptables -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -i lo -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # SSH only from one PC - if you have trouble iptables -A INPUT -p tcp -s 192.168.1.5 --dport 22 -j ACCEPT
Please remember the knock ports, or you lock yourself out – you have no other chance to get SSH working. (Only Monitor way)
There is a knock client for windows too: Click-me