Note -> hopefully this will complement two already existing, related resources:
- the LQWiki sshd configuration entry; and
- the Failed ssh login attempt thread.
I don't intend to exhaustively rehash or debate what's already been advised there. Just a quick summary and I'll get to the point.
--------------------------------
As basic sshd hardening steps, in the past I've generally:
- set obvious sshd_config options (PermitRootLogin no, Protocol 2);
- required PubkeyAuthentication (and allowed no other authentication);
- utilized the AllowUsers directive;
- permitted certain IPs via netfilter or tcp wrappers, and denied all else by default; and
- stayed on top of openssh security updates.
When circumstances have allowed all this, it has been highly effective. But, I recently ran into a situation where I had to allow ChallengeResponseAuthentication + UsePAM for a customer,
and sshd needed to be available to all United States subnets.
So... a little bit of poking around and I found a useful resource (originally spotted on the
wikipedia entry for CIDR):
================================
http://www.ipdeny.com/ipblocks/
From their 'about' section:
Quote:
IPdeny was found to offer up to date and ready-to-go country ip block zone files allocated by regional registries (RIR's). Our main goal is to publish all allocated IPs into single country files in CIDR format...
|
================================
Very nice. Thought I'd share this as I have seen the topic come up in a few different threads where folks are trying to allow or block entire countries.