Security is a Bastard! Only two weeks ago, I did some major upgrades to my
internet server system. I improved especially my root passwords to a 6 digit
random generated one, hoping that it would take a few years to get all the
combinations done with that 3 seconds delay. WRONG WRONG WRONG, but my old
setup was even worse.
It took them 14 Days, on a system with only ssh open! how? Because I was a
naive. The MaxSessions parameter did misslead me a bit to belive that it means
connections but a session is not a connection, so hey, lets open a thousand
connections, and every connection trys 3 passwords, much faster!
So what did I do to prevent this from happening again:
- Setting the PermitRootLogin back to without password
- creating a special user who provides me access to su so I can get root in case of key loss
- the special user has no obvious name, you can guess it.
- 8 character random generated passwords
- adding the following iptables rule:
iptables -A INPUT -p tcp -m tcp –dport 22
–tcp-flags FIN,SYN,RST,ACK SYN
-m connlimit –connlimit-above 10
–connlimit-mask 32 –connlimit-saddr
-j REJECT –reject-with icmp-port-unreachable
And that as a default on all systems. This will work until the next one comes along.