Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Disable ssh password login under Tiger' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Disable ssh password login under Tiger
Authored by: hagbard on Aug 19, '05 04:08:12PM

I went from dozens of attacks to zero with a very simple change :
use a different port for sshd. Instead of port 22, use a port > 32768, (and < 65535). Most scripts are hardcoded for port 22, and don't try to sniff the ssh port first.
I remember that I had to look around a bit in order to change that, something like modifying /etc/services and inside /etc/xinetd.d/
I really thought that there was a hint about that already. If people ask, I'll post a complete hint on that topic !



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: squawky on Aug 19, '05 05:44:18PM
I'm not so sure about changing the port -- the logs on my G5 at work showed repeated attempts to ssh using random ports as well as random usernames. Even if the script used the wrong port, the syslog still recorded hundreds of attempts to ssh in.

The only solution I could come up with was to use tcpwrappers: deny ssh access to any IP that is not part of the domain at work, or part of the domain my ISP uses. That reduced the hundreds attempts to the occasional "sshd access denied to (random ip)" note. (Plus the strong passwords and disabled root access, etc. etc.)

Not the best solution, since I have to ssh into a work machine and then into the G5 if I'm away from home (to edit the /etc/hosts.allow file, at the very least) -- but it seems to work.

[ Reply to This | # ]

10.4: Disable ssh password login under Tiger
Authored by: twangster on Aug 19, '05 06:16:42PM

hey hagbard,

i see a port setting in the sshd_config "#Port 22". wondering if i can just change it here? i just went through my secure.log, it it gets pounded daily. i had no idea! damn script kiddies.



[ Reply to This | # ]
changing the port number
Authored by: xcgr on Aug 19, '05 08:33:46PM

I changed my SSH service to a non-standard port for several months ago. It cut the unwanted login attempts down to zero, since most malware scripts only probe port 22. Obviously this is security by obscurity, and it shouldn't be your primary means of defense. But it does reduce the attack surface, as well as the noise level in the log files.

How to change the sshd port depends on your Mac OS X version. These earlier hints have the details:

10.3: Changing the default SSH server port
10.4: Change the default sshd port

I didn't see a hint for 10.2, but I believe you do it simply by uncommenting and changing the "Port" directive in /private/etc/sshd_config. Then restart the service. For more info, type "man sshd_config" in Terminal.



[ Reply to This | # ]
changing the port number
Authored by: dtungsten on Oct 21, '05 07:31:07PM

I didn't see a hint for 10.2, but I believe you do it simply by uncommenting and changing the "Port" directive in /private/etc/sshd_config. Then restart the service.

Yes, that works (you have to have admin privileges to edit that file, of course).



[ Reply to This | # ]