[CLUE-Tech] SSH probes

[David Anselmi]

George Finney wrote:

[...]


> I suppose with the SSH kiss session last week, I thought it would be
> good to start a discussion on SSH security.

I don't know that there's much to say about SSH security.  Just common
sense:

- keep up with security fixes in your client and server
- don't allow protocol version 1
- don't allow host based authentications, require a password or public
key authentication
- use tcpwrappers or iptables (or a separate firewall) to allow only
trusted connections
- use strong ciphers and key lengths
- use a good random number generator (Linux seems to be reasonably good
if you have /dev/random and /dev/urandom)

I'm sure there are other things you could add to the list.

Scans collecting host keys are not necessarily malicious.  The protocol
allows them (reasonably IMHO) see ssh-keyscan(1).  If you're paranoid
enough that you don't want to advertise your ssh servers, set your
firewall rules to block them.  Perhaps something like portsentry could
do adaptive rule changes to block those scanning your network.

Dave