Re: openssh concerns
- From: Erik Cederstrand <erik@xxxxxxxxxxxxxx>
- Date: Mon, 5 Oct 2009 23:28:37 +0200
Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:
I agree its not a bad thing to have sshd running on a non-standard port,
but just wait until the bot herder with 10,000 bots under his control finds
out what port your running it under...
It's like spam filtering: at the time this actually becomes a problem, we change tactics. It's not about finding the perfect solution, it's about having a manageable log. My log is being spammed, and changing the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to log into your nonexistent oracle account" is not a very interesting log message. Someone bruteforcing a valid non-trivial account name on a non-standard port is, even though they will never succeed.
If your receiving 40,000 false logins a day, your either targeted, or
extremely popular and probably shouldn't be running sshd that is accessible
via the internet anyways, aside from port knocking/VPN.
6 normal, very boring colo-servers here. 40.000 login attempts a day per server on port 22 sounds about right - that's still almost nothing translated to bandwidth. I use only key-based auth and the bots were still trying, som I'm pretty sure it's just someone trying to bruteforce every IP under the sun looking for low-hanging fruit. I still need ssh access for normal admin work so disabling ssh is not an option.