[SGVLUG] ssh breakins - tcp wrappers

[Claude Felizardo]

On 8/4/06, Stan Schwarz <stan at iron.gps.caltech.edu> wrote:
> > another idea: tcp wrapper that blocks "dmisinetworks.net" from ssh?
>
> This is what I do on my home machine. I just have tcp wrappers
> set to only allow ssh from my machines at work and that's all.

At home I use multiple layers:

1) Router w/NAT that blocks port 22 and forwards non standard port to
my Linux box
2) shorewall (iptable manager)
3) tcpwrappers
4) sshd listens to both 22 and secret port
5) ssh-keys with pass phrases

I have tcpwrappers configured to only allow specific machines and send
an email message when something unexpected comes in.  Assuming little
traffic due to the non standard port, this has helped track down
problems when i try to connect from a new machine that isn't on the
list:

sshd: host1.domain: ALLOW
sshd: host2.domain: ALLOW

ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
Denial on XXXXX for %d from %h" root) &: DENY

which sends me a message that looks like this:

Subject: Port Denial on XXXXX for sshd from xxx.yyy.zzz

Hey, anyone know what %flag to use in the hosts.allow file to get the
name of your local machine?  I just noticed it's hard coded.  Don't
want the fully qualified name.

At work it's pretty much the same except they block all traffic now
unless you go through their gateway.

Most machines block finger now a days but I used to get email with a
list of who was logged onto the remote machine.  At work, the network
police run a daily scan so I get at least one email a day which lets
me know everything is running fine.

If you don't know in advance where people will be connecting from, you
might want to consider a script that blocks an IP if there's too many
failed attempts.   I've been wanting to try port knocking but just
haven't gotten around to it.

http://www.shorewall.net/PortKnocking.html