Secure Shell (SSH) Security

I see a lot of SSH brute force attacks on a daily basis. Most of these are scripts being blindly run against servers, but there is the occasional one where a hacker is directly targeting a system. The biggest problem with defending against these attacks is SSH’s biggest benefit…the use of encryption. By using encryption, an IDS/IPS device cannot see into the packet and show us what the attack is trying to do. However, defending against SSH attacks is quite easy to do even if we can’t see into the packet. Simply block it at the firewall. If you have no need for external access (or internal for that matter) then simply block port 22 or stop the SSH service entirely. If there is a need for SSH, limit access to specific systems. Don’t open up the world unless you need to. Some people may think, why not change the port as opposed to block…this may work to some degree but security by obscurity is not a best practice for a reason. Case in point, even if you change the port for SSH, there are these little tools out there called port scanners that can find which port your SSH server is running on in a matter of seconds. Changing the port might save you from automated scripts, but it will not save you from a determined hacker. So let’s review.

  • Block port 22 at the firewall.
  • If needed, use ACLs to limit who can access which servers. Be specific; don’t open it up to the world. Do this for host-based firewalls as well.
  • Use IPS devices to detect SSH attacks and BLOCK them.
  • Don’t try to change the port in the name of security.

These simple things can keep out the majority if not all SSH attacks.

Comments

1

Awesome article.

Feel free to surf to my web page: sustainable financial future - http://www.multisys.net.br/wiki/index.php?title=Usu%C3%A1rio:EdnaSteen27...

my blog post; sustainable financial future