From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Jan 02 2008 - 01:28:34 ARST
Also to complement the excellent suggestions given by Keith, you could
enable the cut-through-proxy authentication / downloadable ACLs feature on
the ASA. This would increase the security by having the users authenticate
twice. However this would still not prevent the brute-force attack
completely.
It achieves a similar effect like the 'bastion host' proposed by Keith
(Solution # 7) and saves from setting up that separate box.
Regards
Farrukh
On Jan 2, 2008 5:52 AM, keith tokash <ktokash@hotmail.com> wrote:
> I don't know the ASA's brute-force defenses, but I'm restless so I'll toss
> some slightly-OT defensive measures I like to take. Hope they don't come
> across as lame.
>
> 1. First step you can take is to change the port mapping on the ASA so
> that
> the ASA listens on a random high port and still forwards to TCP 22 on the
> ESX.
> This is just going to make the "horizontal" scans miss you - the ones that
> just step through entire IP ranges on port 22. Once they get a reaction
> they
> start guessing. Not a fantastic leap in security, but it's easy and it's
> free.
>
> 2. Disable direct root logins in sshd's config file. As usernames go it's
> kind of an obvious one. Make people either su to root or use sudo.
>
> 3. Key-based authentication only may or may not work in your environment.
> Just make sure everyone uses a passphrase on their key (human trust factor
> involved here, kind of sketchy).
>
> 4. Use PAM on the Linux box to enforce password complexity and brute-force
> defenses like a wait period between login attempts.
>
> 5. RSA tokens if you can talk management into it. Typically their eyes
> glaze
> over about 10 seconds into the explanation, so don't pin your hopes on
> this
> one.
>
> 6. Narrow down the allowed sources in the inbound acl on the ASA if you
> can.
>
> 7. Put up a hardened jumpoff box and make everyone go through that first,
> potentially disabling SSH directly to the ESX.
>
> With a few exceptions, secrecy is deeply incompatible with democracy and
> with
> science.
> --Carl Sagan
>
> > Date: Wed, 2 Jan 2008 11:02:18 +1100
> > From: pbhatkoti@gmail.com
> > To: ccielab@groupstudy.com
> > Subject: OT: securing SSH using ASA
> >
> > Hi guys,.
> >
> > |Internet|---------Router----ASA-------|VMWARE-server|
> >
> > I have a VMWARE ESX server runing linux and only port 22 is allowed
> from
> > ASA firewall to access it from the Internet.
> >
> > The problam is how can we stop brute-force attack (on vmware ssh) going
> to
> > VMWARE server on ASA firewall.
> >
> > I can block the access using a linux script on vmware server but I don't
> > want to run iptables on vmware.
> > So looking for some way to block the IP address of brute-forcer's on
> Firewal
> > only.
> >
> > Frog
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Don't get caught with egg on your face. Play Chicktionary!
> http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST