Re: SSH scans vs connection ratelimiting



Personally I have solved the problem in a different way.
I let sshd listen on port 22 as well as a different port
(e.g. 322). In the packet filter configuration (IPFW in
my case) the alternate port is open from anywhere, but
port 22 is restricted to a few well-known IPs.

Most of those automated SSH scans only scan networks on
port 22 (for efficiency, I assume), so they never hit the
alternate port. If they scan port 22, they're dropped
silently.

The result is that I get zero scans in my logs and the
nightly reports. I can log into the machines normally
from my usual workstations. And if I'm somewhere where
port 22 isn't allowed, I can still log in using the
alternate port number.

In fact, I could get rid of port 22 altogether. You can
set the default port number per host in ~/.ssh/config,
so you don't have to type the port number every time.

Note that this is _not_ a security measure (it would only
be "security by obscurity" anyway). It's only to get rid
of the annoying scans. You still have to use good pass-
words (or use other authentication, such as ssh keys),
and make sure that you do not allow root (or other pseudo
users) login via ssh passwords.

Best regards
Oliver

PS: I try to avoid things like automatic blocking of IP
addresses. They can be dangerous, because such automatisms
can be used to run DoS attacks against you, by spoofing
source IPs. Whitelists can help a bit, but you still have
to be extremely careful.

I know one case where someone had a similar setup, blocking
IPs completely (not just port 22) if there have been too
many connection attempts. He whitelisted the IP addresses
of the workstations from which he was usually connecting
with ssh, and so he assumed he was save. Well, until a
"friend" of him ran an SSH scan against the machine,
spoofing the IP addresses of his DNS servers, in effect
putting the machine offline. :-)

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

I suggested holding a "Python Object Oriented Programming Seminar",
but the acronym was unpopular.
-- Joseph Strout
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: ssh gives "Permission denied, please try again"
    ... port 22 on your internal machine, so you will need to keep ssh up to ... I configure the router to forward a different external port to 22 on my ... For good measure pick usernames that are none obvious, ... root/password: 163 times ...
    (uk.comp.os.linux)
  • [NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)
    ... SSH service at Dell DRAC4 Denial of Service ... Dell Remote Access Card 4 allows customers to effectively manage ... After the use of such a port scanner, ...
    (Securiteam)
  • Re: Remote Desktop directly to another computer on the network
    ... default port... ... And there is no reason for me to believe that ssh ... When I have a multibillion company I will use the key pair, ... WinSCP for that to access my home SSH server. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: SSH safety
    ... SSH safety (J.L. ... FC3 missing KDE menu items ... I was wondering how safe it is to open the ssh port up to the internet. ...
    (Fedora)
  • Re: FTPS Server?
    ... port numbers by deep packet inspection. ... client, but the underlying SSH protocol over the network is way, way ... See the chroot configuration in the man-page for sshd_config ... recommend running a separate instance on a separate port (if firewalls ...
    (freebsd-stable)