APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Why not just turn it off?

Silly me. I login to my hosted webserver through ssh to edit pages and all that fun stuff. Of course I have that locked down: only one user is listed in AllowUsers and that user has to use public key authentication (see SSH passphrases and keys).

That doesn't stop people from trying to login; it just prevents them from being able to login without knowing a lot more than most script-kiddie hackers know.

However, I realized something today that I should have realized a long time ago. The people who try to get in aren't getting in, but they are wasting system resources and they do clutter up my logs. Most hosted webservers, mine included, have some sort of web based interface that allow you to control services. Why on earth do I even have sshd turned on when I don't need it?

Duh! All I need to do is turn it on when I want to login, log in, and then immediately shut it off. That doesn't affect my current login, it just refuses future connections. No more wasted cpu for the wannabe hackers, no more silly log entries.

Of course I couldn't do that if other non-admin users needed access, but for this server, it's just me. I am the one and only legitimate user.

I'm almost tempted to reset this to "PasswordAuthentication yes" - with the other protections in place (AllowUsers, MaxStartups, etc.) and sshd only turned on for the brief time that I need to login, that could be safe enough and would certainly be convenient if I ever needed to login from somewhere without my key (I do have it on a USB stick but I don't always have that with me). I'll have to think about that - if I were forgetful and left it on, I'd be far less secure.. and I *am* forgetful! Better leave it as it is..

As you'll see in the comments, some smart folks convinced me that it makes more sense to shut off the web admin and leave ssh as it is.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Why not just turn it off?


15 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Sat Mar 14 01:19:54 2009: 5692   drag

gravatar
Personally I trust openssh much more then I trust a web interface for turning ssh on and off. :)

So I'd rather disable the web interface for doing that sort of thing!



Sat Mar 14 04:19:30 2009: 5693   yungchin

gravatar
If you're mostly looking to keep your logs clean, wouldn't the port-knocking thing (where sshd only opens for connections after some chosen sequence of ports has been pinged) be a nice solution?



Sat Mar 14 05:02:45 2009: 5694   drag

gravatar
Well if you want to keep logs cleaned the easiest way would be to stick it on a nonstandard port, like port 230 or something. That avoids pretty much all the automated scanners out there.

That's all you really need to do.

Of course things like that have very little, if any, real security benefit. Including port knocking. (essentially your sending a plan-text password unencrypted over the internet prior to using your real ssh one)..

Hiowever the correct way is to simply uses tools to examine your logs and help you collect useful data. Any decent software should ignore any failed login attempts. After all, failed logins means your stuff is working... it's the log ins that don't fail that are the important ones.



Sat Mar 14 12:33:07 2009: 5700   TonyLawrence

gravatar
Port knocking doesn't involve sending any passwords. (link)

The admin pages for website control are actually very handy. I understand your point, but I don't agree. As to non-standard ports, I never found that to stop much - they try EVERYTHING.

Logs? I just don't want to bother. If ssh is off, there's nothing to look at..



Sat Mar 14 14:12:15 2009: 5701   BigDumbDinosaur

gravatar
With one lone exception, I have set up all the servers under my control so SSH comes in on a high, unassigned port. No login failures get logged because the miscreants who are trying to get in are looking in all the wrong places.

BTW, that one exception is at a client where the Windows administrator insists that SSH come in on port 22, even though there have been numerous unsuccessful attempts to break in. The guy can't seem to understand that SSH can be served at any port, so why use 22? These Windows wonks piss me off sometimes!



Sat Mar 14 16:20:09 2009: 5704   Patric

gravatar
The port-knocking post is essentially saying that adding a layer of authentication that is unencrypted is not an addition, since it can easily be observed, I find that it does add a layer of stenography, there's a lot of noise of various ports being knocked on by lots of people to sort through to find the signal of successful logins. As to the nonstandard port, can you offer a comparison of log entries from 22 and another port you've run SSH on, I don't think I've ever seen 1% of the attempted connections on any other port than on 22. I do think that cypher strength and chain of trust are significant benefits to SSH ( believe that current SSH is 2048-bit encryption, by default) and there are mitm attacks in the wild against https, so taking the CA out of the loop is a benefit as far as I am concerned, I'd agree with the post that reccomended turning off your web-based administration and only allowing SSH access by default.



Sat Mar 14 16:51:08 2009: 5706   TonyLawrence

gravatar
Interesting critique of port knocking at at (link)



Sat Mar 14 16:59:24 2009: 5707   TonyLawrence

gravatar
Patric, I understand your point but if I'm going to worry about https hacking I might as well just shut down the whole site anyway.

Frankly, the site is much more vulnerable from ftp than anything else.



Sat Mar 14 23:50:50 2009: 5708   TonyLawrence

gravatar
You know, I've been thinking about this all day and you guys are right..

I'll disable the admin page and leave ssh on with my keys.



Sun Mar 15 20:23:47 2009: 5713   jtimberman

gravatar
In addition to the normal ssh lockdowns via sshd_config settings, I recommend fail2ban, if its available for your platform.

fail2ban watches the log files for various services including sshd and will prop up iptables rules to drop connections when someone is trying to brute force, and other other unauthorized access attempts.

(link)



Mon Mar 23 15:43:36 2009: 5822   Ralph

gravatar
I have decided to reduce the amount of ssh break-in attempts by setting up a firewall rule on my VPS that essentially limits the number of logins per minute. Automated ssh requests then tend to die out and I receive very few now compared to former times. And my logs look a lot less scary now.



For me the following two lines of code do the trick::

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP



On very rare occasions, I need more than four ssh logins per 120 seconds, and have to wait a while.






Mon Mar 23 15:43:36 2009: 5822   Ralph

gravatar
I have decided to reduce the amount of ssh break-in attempts by setting up a firewall rule on my VPS that essentially limits the number of logins per minute. Automated ssh requests then tend to die out and I receive very few now compared to former times. And my logs look a lot less scary now.



For me the following two lines of code do the trick::

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP



On very rare occasions, I need more than four ssh logins per 120 seconds, and have to wait a while.






Wed Mar 25 23:31:59 2009: 5871   Ed

gravatar
First off, just wanted drop a quick thank you for all the tips and direction I have gotten from your site over the years.

Also have you looked into denyhosts? ( (link) )
its a nice, simple way of blocking the automated attacks and script kiddies. Its based on python, and seems to be widely ported.



Thu Mar 26 00:16:10 2009: 5872   TonyLawrence

gravatar
Thanks, I'll take a look..



Thu Oct 1 21:51:55 2009: 7035   anonymous

gravatar
i appreciate your tips i plan to use them on my server

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network. (Tim Berners-Lee)

On two occasions, I have been asked [by members of Parliament], "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?"...I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. (Charles Babbage)







This post tagged: