RE: OT: securing SSH using ASA

From: keith tokash (ktokash@hotmail.com)
Date: Wed Jan 02 2008 - 00:52:29 ARST

• Next message: Farrukh Haroon: "Re: OT: securing SSH using ASA"
• Previous message: Avner Izhar: "RE: Voice: CCM partition and css approach"
• Maybe in reply to: Radioactive Frog: "OT: securing SSH using ASA"
• Next in thread: Farrukh Haroon: "Re: OT: securing SSH using ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't know the ASA's brute-force defenses, but I'm restless so I'll toss
some slightly-OT defensive measures I like to take. Hope they don't come
across as lame.

1. First step you can take is to change the port mapping on the ASA so that
the ASA listens on a random high port and still forwards to TCP 22 on the ESX.
This is just going to make the "horizontal" scans miss you - the ones that
just step through entire IP ranges on port 22. Once they get a reaction they
start guessing. Not a fantastic leap in security, but it's easy and it's
free.

2. Disable direct root logins in sshd's config file. As usernames go it's
kind of an obvious one. Make people either su to root or use sudo.

3. Key-based authentication only may or may not work in your environment.
Just make sure everyone uses a passphrase on their key (human trust factor
involved here, kind of sketchy).

4. Use PAM on the Linux box to enforce password complexity and brute-force
defenses like a wait period between login attempts.

5. RSA tokens if you can talk management into it. Typically their eyes glaze
over about 10 seconds into the explanation, so don't pin your hopes on this
one.

6. Narrow down the allowed sources in the inbound acl on the ASA if you can.

7. Put up a hardened jumpoff box and make everyone go through that first,
potentially disabling SSH directly to the ESX.

With a few exceptions, secrecy is deeply incompatible with democracy and with
science.
        --Carl Sagan

> Date: Wed, 2 Jan 2008 11:02:18 +1100
> From: pbhatkoti@gmail.com
> To: ccielab@groupstudy.com
> Subject: OT: securing SSH using ASA
>
> Hi guys,.
>
> |Internet|---------Router----ASA-------|VMWARE-server|
>
> I have a VMWARE ESX server runing linux and only port 22 is allowed from
> ASA firewall to access it from the Internet.
>
> The problam is how can we stop brute-force attack (on vmware ssh) going to
> VMWARE server on ASA firewall.
>
> I can block the access using a linux script on vmware server but I don't
> want to run iptables on vmware.
> So looking for some way to block the IP address of brute-forcer's on
Firewal
> only.
>
> Frog
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Farrukh Haroon: "Re: OT: securing SSH using ASA"
• Previous message: Avner Izhar: "RE: Voice: CCM partition and css approach"
• Maybe in reply to: Radioactive Frog: "OT: securing SSH using ASA"
• Next in thread: Farrukh Haroon: "Re: OT: securing SSH using ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST