Re: openssh concerns




Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:

I agree its not a bad thing to have sshd running on a non-standard port,
but just wait until the bot herder with 10,000 bots under his control finds
out what port your running it under...

It's like spam filtering: at the time this actually becomes a problem, we change tactics. It's not about finding the perfect solution, it's about having a manageable log. My log is being spammed, and changing the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to log into your nonexistent oracle account" is not a very interesting log message. Someone bruteforcing a valid non-trivial account name on a non-standard port is, even though they will never succeed.

If your receiving 40,000 false logins a day, your either targeted, or
extremely popular and probably shouldn't be running sshd that is accessible
via the internet anyways, aside from port knocking/VPN.

6 normal, very boring colo-servers here. 40.000 login attempts a day per server on port 22 sounds about right - that's still almost nothing translated to bandwidth. I use only key-based auth and the bots were still trying, som I'm pretty sure it's just someone trying to bruteforce every IP under the sun looking for low-hanging fruit. I still need ssh access for normal admin work so disabling ssh is not an option.

Erik

Relevant Pages

  • Re: Trojan? DDOS Bot?
    ... > internet a connection from local port 1026 to port 6667 ... > server and it is an irc server (MusIRC Internet Relay ... > administrator told me that he has recognized these bots ... > LISTENING ...
    (Incidents)
  • Re: Limiting closed port RST response
    ... The problem is that it doesn't say which port was ... There are a few reasons you may see inbound TCP connections ... late responses from genuine outbound ... and bots hitting other sites using your forged IP ...
    (freebsd-questions)
  • Re: [Full-disclosure] KIBUV.B or variant?
    ... the src code to these bots are traded around a great deal. ... likley either the irc owner changed the port /banner in which the ...
    (Full-Disclosure)
  • Re: Change SSH port? why does this seem to be safer?
    ... Virtually all "attacks" are by 'bots or skript kiddiez, and these target ... haystack to find the open port setting on some out of the way location. ...
    (comp.os.linux.security)
  • Re: Accessing embedded device behind firewall
    ... We would like to have telnet / ssh access to the device, ... By default, OpenVPN uses port 1194 UDP, but you could choose port 80 TCP (i.e., http) if you prefer. ...
    (comp.arch.embedded)