Re: Thousands of ssh probes



On Sun, Mar 7, 2010 at 16:48, Erik Norgaard <norgaard@xxxxxxxxxxxx> wrote:

On 07/03/10 21:41, dacoder wrote:

has anybody suggested having sshd listen on a high port?


Any number will do, think about it:

a. The attacker doesn't really care which host is compromised any will do,
and better yet someones home box as it is more difficult to trace him. In
that case he will scan large ip-ranges for hosts listening on port 22.

b. The attacker wants to gain control of a particular server. In that case
he will scan all ports to see what services are running and determine which
services are running on each port. In that case running ssh on a
non-standard port is futile.

However, I'm not really a fan of using non-standard ports for ssh, I don't
believe it's the right solution to the problem: You have ssh access to the
outside because people travel and need remote access. In that case they
might find themselves under other security policies which block access to
services deemed unnecessary. Running ssh on a non-standard port is likely to
be blocked on the client network - unless you run on, say, port 80.

The more uses you have, the more problems you will have running ssh on a
non-standard port, the time you save checking your logs may easily be spent
on end user support.

OP referred to significant impact on bandwidth which I find difficult to
believe. In case connections come from a single ip at a time then you should
tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of
concurrent un-authenticate connections and slow down brute force attacks.

Much better, restrict the client access to certain ranges of IPs. The
different registries publish ip ranges assigned per country and you can
create a list blocking countries you are certain not to visit, you can use
my script:

http://www.locolomo.org/pub/src/toolbox/inet.pl


Great script! Just one question. Where do you put the list of denied ip
ranges?


BR, Erik

--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
freebsd-questions-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Security problem
    ... segment when it receives a SYN destined at a non-existant port. ... It makes you less visible to a casual check, since the attacker doesn't easily see why they can't get in. ... It avoids reply packets with sequence numbers, which could be used by an attacker. ... could make from your "watching the neighbour's house" analogy. ...
    (comp.os.linux.development.apps)
  • porsentry
    ... attacker is scanning ... # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. ... # On many Linux systems you cannot bind above port 61000. ... # host when an attack is detected. ...
    (linux.redhat)
  • Re: Security problem
    ... simply to use a non-standard port. ... and no attacker will ever find it. ... There is a reason why you build up security in layers, rather than relying on a single point such as a good password. ... Security is about balancing the risks and the consequences of these risks with the cost of protection and the ease of use of legitimate services. ...
    (comp.os.linux.development.apps)
  • Re: Sokets De Trois v1
    ... folks in newsgroups who behave that way. ... If there were an actual human attacker, stealth mode doesn't really cut much ... > I believed that if a port was in stealth mode, ... >> generating random email addresses is what the worm ...
    (microsoft.public.security.virus)
  • [EXPL] Multiple Vulnerabilities in CISCO VoIP Phones (Additional details)
    ... Multiple Vulnerabilities in Cisco IP Telephones. ... The Cisco 7900 series of phones include a built-in web server on port ... It is conceivable that a dedicated attacker could put ...
    (Securiteam)