Disable SSH Password Authentication with OS X 10.5 Leopard

I have a Mac running OS X 10.5 Leopard on my home network that I have made accessible from the Internet so I can remotely access it using SSH (Secure Shell) when I am away.

However, there are many popular SSH password brute force cracking tools (such as Hydra). Below is an excerpt from /var/log/secure.log on the Internet-accessible Mac showing an obvious brute force attack:

06:15:20 sshd[54623]: Invalid user jeff from 88.46.222.228
06:15:22 sshd[54625]: Invalid user irc from 88.46.222.228
06:15:24 sshd[54629]: Invalid user list from 88.46.222.228
06:15:25 sshd[54631]: Invalid user eleve from 88.46.222.228
06:15:27 sshd[54633]: Invalid user proxy from 88.46.222.228
06:17:28 sshd[54700]: Invalid user admin from 59.173.2.71
06:17:32 sshd[54702]: Invalid user admin from 59.173.2.71
06:17:36 sshd[54704]: Invalid user admin from 59.173.2.71
06:17:39 sshd[54706]: Invalid user administrator from 59.173.2.71
06:17:43 sshd[54708]: Invalid user administrator from 59.173.2.71
06:17:46 sshd[54710]: Invalid user administrator from 59.173.2.71
06:17:49 sshd[54712]: Invalid user tads from 59.173.2.71
06:17:52 sshd[54714]: Invalid user manet from 59.173.2.71
06:17:55 sshd[54716]: Invalid user creative from 59.173.2.71
06:18:00 sshd[54718]: Invalid user manet from 59.173.2.71

What I am not showing you are hundreds of similar attempts. Further, each username login attempt repeats as many as 20 times in a row, indicating that multiple passwords are being tried.

To entirely sidestep the threat of brute force password attacks, I have disabled password logins and only allow public-key authentication. Here is how you can set this up in OS X 10.5 Leopard:

  1. Edit /etc/sshd_config and change the following options, removing the ‘#’ comment sign:

    PasswordAuthentication no
    ChallengeResponseAuthentication no

  2. Turn off Remote Login in the Sharing preference pane in System Preferences and turn it on again to restart sshd so the changes will take effect.

Now, when someone attempts to SSH to my Mac without the correct private key, she/he will see this message:

ssh1.png

Finally, to avoid more log entries of ssh brute force password attempts, I’ve changed the default port for SSH. To my mind, this also reduces the risk of an SSH zero-day exploit.

6 thoughts on “Disable SSH Password Authentication with OS X 10.5 Leopard

  1. Pingback: Resuming SCP file transfers « Anthony Vance

  2. Bill

    Great tip.

    All you need to do to enable this is “sudo killall -1 sshd” and it will kick your current session (assuming you are ssh’d in) and pick up the new settings.

    If you are remote to the system, test your key authentication first! (grin)

    Reply
  3. James M

    Put out of your mind the notion that changing the ssh port adds one bit of security to your host. The dictionary attackers are nmap’ing and trying every port. It might buy you a few seconds of obscurity but nothing more.

    Reply
  4. Anthony

    James:

    It’s true that nmap can easily discover SSH running on alternative ports. Changing ports alone will not secure against brute-force login attempts. However, it will:

    1. Reduce the number of SSH log entries of scanners probing the default port 22. In my experience, this is a considerable amount of logging that can be avoided (see here for a demonstration of this).

    Second, in the case of a zero-day exploit, automated scanners typically only scan the default port in search of a vulnerability. Why? When scanning the entire IP-space, scanning even one additional port doubles the time to complete the scan. And in the case of a zero-day exploit, time is of the essence as administrators race to patch their machines.

    So while changing the default port alone doesn’t protect against brute-force login attempts (this post is about using public-key authentication after all), it does provide an added measure of security in the case of zero-day exploits. See further discussion of this point here and here.

    Reply
  5. Dominik Hoffmann

    I found that my Apple Xserve at home was sometimes completely swamped with what turned out to be one of those brute force ssh attacks. After disallowing password logins I essentially got my server back.

    Reply
  6. Jim

    This also disables PAM. I need PAM, and can’t do this, and would like to see how I can use PAM but stop SSHD from logging this extra junk into my log file. SSHD doesn’t even have the ability to check for invalid users; PAM is configured to do that.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>