Re: ssd attacks; worm? and precautionary steps

From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: 08/23/05

  • Next message: MR: "Re: filtering access to internet via programs - HOW?"
    Date: Tue, 23 Aug 2005 17:58:09 GMT
    
    

    H.S. wrote:
    > For the time being, I cannot move the ssh to another port. Moreover,
    > from a Gentoo website, I have realized it is not difficult at all to
    > test what other ports sshd is listening on. Obscuring the ssh port may
    > decrease the hits or avoid them for a while, but it is not a very strong
    > defence mechanism.
    While it is true that there are tools that will identify what service is
    running on a port they don't seem to be used by any of the current ssh
    script attacks I have seen. After moving my sshd to a non-standard port
    I have had no attacks. This has been about two months now.

    Clearly the points others as well as I have made about hardening ssh are
    a better way to protect your site than just moving the port. Using
    public/private keys only, no root, protocol 2 only, Allow/Disallow in
    the sshd_config, and change privileges on the ssh client.

    For a while I did have sshd on port 22 but only allowed a single user
    account which was in a chrooted fail. I stopped doing this as it really
    was not necessary any more as when I am on the road I always have my own
    laptop and don't have to ssh from foreign machines. However, if you need
    to ssh from foreign machines a jailed user might be useful, though if it
    is jailed how much would you let the user do?

    All in all the ssh scripts are more of a annoyance than a real threat I
    think. At least until someone makes them a lot more intelligent.


  • Next message: MR: "Re: filtering access to internet via programs - HOW?"