Re: Somebody is keep trying to ssh into my systems, how can I stop that?



responder wrote:

You are mistaken if you think your "secure", portknocking protected ssh
connection is immune to intrusion and hijacking. And it would be
irresponsible to be more highly specific here in details. So I won't say
any more than to just simply answer your question.

The challenge/response nature of public key authentication would
mitigate any attempt at a MITM attack on SSH itself. Although, it
_could_ allow an attacker to circumvent port knocking and give them an
open port. I only say 'could', because it is dependednt on the
implementation of the particular port knocking scheme itself, which in
my own opinion; leads to the 'obscurity' of port knocking, which is in
effect, only a password based authentication mechanism, as Ertugrul
touched on earlier. Who also mentioned in the case of buffer overflow
exploits; that these can be mitigated by using grsecurity, PaX, and/or
SELinux.

left_coast wrote:

How many netfilter expoits that can successfully attack CLOSED PORTS have
been reported vs. buffer overflow attacks of an open ssh port???? Go count
them up bub, and let me know the results, I'm sure you'll start to discover
why I believe the way I do.

The object of security is not only to protect against remote priveledge
escalation, but also to protect system stability and usability. Hence
my next point, would be the possibility of DoS attacks against the port
knocking daemon itself, since it has to listen for the port 'knocks';
regardless of the packets having been dropped, it still needs to
process them.

Taking into consideration the above factors, it still comes down to
user preference, and the trade-off between usability and security. For
example; large corporate environments would find port-knocking rather
cumbersome, and would prefer to use an 'out-of-band' administrative
interface.

Cheers, Joel.

.



Relevant Pages

  • Re: Need urgent help regarding security
    ... | i have seen a similar attack recently doing a brute force ssh. ... Speaking of SSH, if you have to provide SSH service via a public IP# (and you ... This make a brute force attack much more difficult, ... higher public port down to port 22 on the server, since that will trip up anyone ...
    (FreeBSD-Security)
  • Re: SSH port change
    ... attack attempts :-) ... The port it runs on does not increase or decrease the safety. ... The other reason to change port is because your provider is a bunch of ... Deny everthing from everywhere (on ssh only if you like) exept from ...
    (alt.os.linux.suse)
  • Re: SuSE Firewall
    ... >> of attack that got through my modem or Suse`s firewall, ... >> firewall would help only powering off the machine and not starting it ... If you dont need ssh, ... > why leave the port open? ...
    (alt.os.linux.suse)
  • Re: Need urgent help regarding security
    ... > | i have seen a similar attack recently doing a brute force ssh. ... > traffic from a higher public port down to port 22 on the server, ...
    (FreeBSD-Security)
  • Re: Security....
    ... The Portsentry setup is to block those people who are going to attack ... port on which you have a service listening. ... no iptables ruleset on Earth can protect you from that. ...
    (Fedora)