Re: Thousands of ssh probes



On Sun, Mar 7, 2010 at 16:48, Erik Norgaard <norgaard@xxxxxxxxxxxx> wrote:

On 07/03/10 21:41, dacoder wrote:

has anybody suggested having sshd listen on a high port?


Any number will do, think about it:

a. The attacker doesn't really care which host is compromised any will do,
and better yet someones home box as it is more difficult to trace him. In
that case he will scan large ip-ranges for hosts listening on port 22.

b. The attacker wants to gain control of a particular server. In that case
he will scan all ports to see what services are running and determine which
services are running on each port. In that case running ssh on a
non-standard port is futile.

However, I'm not really a fan of using non-standard ports for ssh, I don't
believe it's the right solution to the problem: You have ssh access to the
outside because people travel and need remote access. In that case they
might find themselves under other security policies which block access to
services deemed unnecessary. Running ssh on a non-standard port is likely to
be blocked on the client network - unless you run on, say, port 80.

The more uses you have, the more problems you will have running ssh on a
non-standard port, the time you save checking your logs may easily be spent
on end user support.

OP referred to significant impact on bandwidth which I find difficult to
believe. In case connections come from a single ip at a time then you should
tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of
concurrent un-authenticate connections and slow down brute force attacks.

Much better, restrict the client access to certain ranges of IPs. The
different registries publish ip ranges assigned per country and you can
create a list blocking countries you are certain not to visit, you can use
my script:

http://www.locolomo.org/pub/src/toolbox/inet.pl


Great script! Just one question. Where do you put the list of denied ip
ranges?


BR, Erik

--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
freebsd-questions-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"