Re: SSH connections
From: Greg Metcalfe (metcalfegregdelete_at_qwest.net)
Date: 08/26/05
- Next message: Greg Metcalfe: "Re: iptables frontends?"
- Previous message: Shawn K. Quinn: "Re: ISPs blocking your access to the Internet?"
- In reply to: Fred: "SSH connections"
- Next in thread: Chris Cox: "Re: SSH connections"
- Reply: Chris Cox: "Re: SSH connections"
- Reply: Jani Mikkonen: "Re: SSH connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Aug 2005 12:32:32 -0700
Fred wrote:
> I'm looking at thwarting some ssh probes by changing the port number
> and customizing the sshd_config file. I'm curious if these probes have
> an adverse affect on the performance of the server or are the
> connection attempts inexpensive resource-wise? Are there any ways to
> measure the impact of these connection attempts?
>
> Fred
In general you can regard ssh connection attempts are innexpensive, as long
as you're running as a daemon. In any Unix where you're running sshd under
a superserver, they get a bit more costly.
At a guess, you're OK. If you're authenticating against LDAP, and that
server is heavily loaded, or something, all bets are off, of course.
I'm speaking in general terms here--a standard standalone sshd on a
mainstream Linux install, where you can garner quite a bit of resistance to
casual attacks simply by disallowing root logins, and changing ports.
Be advised that the nature of the attacks changes constantly. A couple of
years ago I saw attacks limited to 3-4 standard Unixy accounts. Lately, I
see what looks like a more evolved version of the same attacks--same Unixy
accounts, but with the beginnings of a decent dictionary attack. I suspect
it's an evolved version of the same tool because I see roughly the same
distribution in attack sources. That's a very shaky assumption, but I've
not had a need to chase it further.
I'm now recommending to clients that cloud-facing ssh boxen use account
names of random alphanumeric chars. My rationale is that as dictionary
attacks become more sophisticated, pre-attack scanning for a changed port
will also become more common. Hitting just enough ports to identify Linux
(if even that much is done), then assuming the standard port becomes less
useful if it's a precursor to a more resource-intensive and noisier
dictionary attack.
In summary, I would expect dictionary attacks to get steadily better in
terms of account coverage, and to be preceded by more stealthy scans. I
don't expect the number of system compromises to increase in proportion.
SSH is fairly easy to secure.
Remaining on a standard port can also be quite useful, in terms of ease of
auditting systems, etc.
There are ways to instrument, and gather quite a bit of data. Exactly what's
available on your system will vary by distro, and you may need to code up a
a wrapper or something. I wouldn't worry about this too much in terms of a
DoS attack. There are far easier ways to do that.
Regards,
Greg
- Next message: Greg Metcalfe: "Re: iptables frontends?"
- Previous message: Shawn K. Quinn: "Re: ISPs blocking your access to the Internet?"
- In reply to: Fred: "SSH connections"
- Next in thread: Chris Cox: "Re: SSH connections"
- Reply: Chris Cox: "Re: SSH connections"
- Reply: Jani Mikkonen: "Re: SSH connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
