Re: ssd attacks; worm? and precautionary steps

From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: 08/23/05

  • Next message: MR: "Re: filtering access to internet via programs - HOW?"
    Date: Tue, 23 Aug 2005 17:58:09 GMT
    
    

    H.S. wrote:
    > For the time being, I cannot move the ssh to another port. Moreover,
    > from a Gentoo website, I have realized it is not difficult at all to
    > test what other ports sshd is listening on. Obscuring the ssh port may
    > decrease the hits or avoid them for a while, but it is not a very strong
    > defence mechanism.
    While it is true that there are tools that will identify what service is
    running on a port they don't seem to be used by any of the current ssh
    script attacks I have seen. After moving my sshd to a non-standard port
    I have had no attacks. This has been about two months now.

    Clearly the points others as well as I have made about hardening ssh are
    a better way to protect your site than just moving the port. Using
    public/private keys only, no root, protocol 2 only, Allow/Disallow in
    the sshd_config, and change privileges on the ssh client.

    For a while I did have sshd on port 22 but only allowed a single user
    account which was in a chrooted fail. I stopped doing this as it really
    was not necessary any more as when I am on the road I always have my own
    laptop and don't have to ssh from foreign machines. However, if you need
    to ssh from foreign machines a jailed user might be useful, though if it
    is jailed how much would you let the user do?

    All in all the ssh scripts are more of a annoyance than a real threat I
    think. At least until someone makes them a lot more intelligent.


  • Next message: MR: "Re: filtering access to internet via programs - HOW?"

    Relevant Pages

    • Re: possible problem with scp/ssh/telnet
      ... (sshd on the Linux side), which actually listens on port 22. ... SSH should be running as a service under Windows; ... As for configuration, from within a Cygwin shell, go to /etc and look at ...
      (Fedora)
    • RE: possible ssh hack
      ... What version of SSHD were you running, ... Apache and we can help you out. ... Subject: possible ssh hack ... port 4207 ...
      (Incidents)
    • Re: [Full-disclosure] targetted SSH bruteforce attacks
      ... I have a strange situation and would like information from the ... I have SSH and named running and available ... I don't want to move it to another port, and no I don't want to ... Since almost every angle of securing SSHD publicly have already been listed I will not ...
      (Full-Disclosure)
    • Re: ssh gives "Permission denied, please try again"
      ... port 22 on your internal machine, so you will need to keep ssh up to ... I configure the router to forward a different external port to 22 on my ... For good measure pick usernames that are none obvious, ... root/password: 163 times ...
      (uk.comp.os.linux)
    • [NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)
      ... SSH service at Dell DRAC4 Denial of Service ... Dell Remote Access Card 4 allows customers to effectively manage ... After the use of such a port scanner, ...
      (Securiteam)