Re: openssh concerns

Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:

I agree its not a bad thing to have sshd running on a non-standard port,
but just wait until the bot herder with 10,000 bots under his control finds
out what port your running it under...

It's like spam filtering: at the time this actually becomes a problem, we change tactics. It's not about finding the perfect solution, it's about having a manageable log. My log is being spammed, and changing the port solves that. " tried to log into your nonexistent oracle account" is not a very interesting log message. Someone bruteforcing a valid non-trivial account name on a non-standard port is, even though they will never succeed.

If your receiving 40,000 false logins a day, your either targeted, or
extremely popular and probably shouldn't be running sshd that is accessible
via the internet anyways, aside from port knocking/VPN.

6 normal, very boring colo-servers here. 40.000 login attempts a day per server on port 22 sounds about right - that's still almost nothing translated to bandwidth. I use only key-based auth and the bots were still trying, som I'm pretty sure it's just someone trying to bruteforce every IP under the sun looking for low-hanging fruit. I still need ssh access for normal admin work so disabling ssh is not an option.


Relevant Pages

  • Re: Trojan? DDOS Bot?
    ... > internet a connection from local port 1026 to port 6667 ... > server and it is an irc server (MusIRC Internet Relay ... > administrator told me that he has recognized these bots ... > LISTENING ...
  • Re: Limiting closed port RST response
    ... The problem is that it doesn't say which port was ... There are a few reasons you may see inbound TCP connections ... late responses from genuine outbound ... and bots hitting other sites using your forged IP ...
  • Re: sshguard pf
    ... Below is a snippet from my auth.log showing sshguard blocking som IPs, ... pass in on $ext_if proto tcp to port ssh ... pass in log on $ext_if proto tcp to port smtp ... You are being attacked by script kiddies and bots, they scan a whole ip address range looking for open port 22 and when its found they start their login attack. ...
  • Re: [Full-disclosure] KIBUV.B or variant?
    ... the src code to these bots are traded around a great deal. ... likley either the irc owner changed the port /banner in which the ...
  • Re: Accessing embedded device behind firewall
    ... We would like to have telnet / ssh access to the device, ... By default, OpenVPN uses port 1194 UDP, but you could choose port 80 TCP (i.e., http) if you prefer. ...