Does it make sense to run sshd confined/protected by apparmor?
I get tons of attack/hack attempts on my ssh port daily, I created a white list on my firewall to specify the IP addresses that can ssh into my network. I was also thinking of activating the sshd profile in apparmor for some added protection? Just don’t know if its worth the trouble.
What you do?
On Fri, 01 Jul 2011 00:06:03 +0000, mejason69 wrote:
> Does it make sense to run sshd confined/protected by apparmor?
>
> I get tons of attack/hack attempts on my ssh port daily, I created a
> white list on my firewall to specify the IP addresses that can ssh into
> my network. I was also thinking of activating the sshd profile in
> apparmor for some added protection? Just don’t know if its worth the
> trouble.
>
> What you do?
I use BlockHosts to automatically reject connections from a system after
a relatively small number of failed attempts.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Yeah that is one way to do it, but its less traffic going into the LAN the way I do it. If the traffic does not originate from any of the ip addresses I specify (about 5 different address) then the request is simply ignored at the firewall before it can even get to the server.
More curious to find out if anyone uses apparmor to protect/confine sshd or if they think its a good idea or not.
Apparmor and selinux are to protect against programming errors that may allow access to the filesystem or other system resources that not caught by the program. If the access is allowed to a sensitive file by the program to a legal user or intruder, apparmor does nothing for you. It’s just another layer of protection. You’re probably doing as well as you can with firewall rules.
On Fri, 01 Jul 2011 01:36:06 +0000, mejason69 wrote:
> Yeah that is one way to do it, but its less traffic going into the LAN
> the way I do it. If the traffic does not originate from any of the ip
> addresses I specify (about 5 different address) then the request is
> simply ignored at the firewall before it can even get to the server.
Yes, you can do that; I couldn’t in my setup because I traveled for work
and couldn’t predict my IP address.
> More curious to find out if anyone uses apparmor to protect/confine sshd
> or if they think its a good idea or not.
I don’t see a reason to do it myself - if you prevent them from getting
in in the first place (I also use only public key authentication on the
external-facing system), then restricting it doesn’t provide much - if
any - benefit.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On 2011-07-01 02:06, mejason69 wrote:
> I was also thinking of activating the sshd profile in
> apparmor for some added protection? Just don’t know if its worth the
> trouble.
Try - or have a look at the profile first, to see what it allows. It is one
more layer.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)