Re: ssd attacks; worm? and precautionary steps
From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: Tue, 23 Aug 2005 17:58:09 GMT
> For the time being, I cannot move the ssh to another port. Moreover,
> from a Gentoo website, I have realized it is not difficult at all to
> test what other ports sshd is listening on. Obscuring the ssh port may
> decrease the hits or avoid them for a while, but it is not a very strong
> defence mechanism.
While it is true that there are tools that will identify what service is
running on a port they don't seem to be used by any of the current ssh
script attacks I have seen. After moving my sshd to a non-standard port
I have had no attacks. This has been about two months now.
Clearly the points others as well as I have made about hardening ssh are
a better way to protect your site than just moving the port. Using
public/private keys only, no root, protocol 2 only, Allow/Disallow in
the sshd_config, and change privileges on the ssh client.
For a while I did have sshd on port 22 but only allowed a single user
account which was in a chrooted fail. I stopped doing this as it really
was not necessary any more as when I am on the road I always have my own
laptop and don't have to ssh from foreign machines. However, if you need
to ssh from foreign machines a jailed user might be useful, though if it
is jailed how much would you let the user do?
All in all the ssh scripts are more of a annoyance than a real threat I
think. At least until someone makes them a lot more intelligent.