[LUAU] Excellent SSH advice

Vince Hoang vince at litrium.com
Wed Jan 12 12:39:35 PST 2005


On Wed, Jan 12, 2005 at 09:31:56AM -1000, Dwight Victor wrote:
> If you know the IP addresses of the machines that you'll be
> SSHing from...it's best to compile your version of SSH to
> support tcp_wrappers and configure your /etc/hosts.allow and
> /etc/hosts.deny files to only allow SSH access from your know
> IP addresses.

I believe most packaged versions of OpenSSH come prebuilt with
tcp-wrappers, so no recompilation is needed.

> This also helps cut down on those irritating automated SSH
> attacks.

When using the built-in tcp-wrapper support, the attack will
still hit the sshd before the attack host is dropped, and
potentially leave you open to an undocumented buffer overflow.

Instead, if you limit host access at the firewall level, the
attack will never reach the sshd.

Another alternative is to move your sshd to a different port.
This will thwart the attacks that only look at tcp/22 for a
running SSH server, but this relies on security through obscurity
alone.

-Vince



More information about the LUAU mailing list