Thousands of ssh probes
Erik Norgaard
norgaard at locolomo.org
Sun Mar 7 22:48:55 UTC 2010
On 07/03/10 21:41, dacoder wrote:
> has anybody suggested having sshd listen on a high port?
Any number will do, think about it:
a. The attacker doesn't really care which host is compromised any will
do, and better yet someones home box as it is more difficult to trace
him. In that case he will scan large ip-ranges for hosts listening on
port 22.
b. The attacker wants to gain control of a particular server. In that
case he will scan all ports to see what services are running and
determine which services are running on each port. In that case running
ssh on a non-standard port is futile.
However, I'm not really a fan of using non-standard ports for ssh, I
don't believe it's the right solution to the problem: You have ssh
access to the outside because people travel and need remote access. In
that case they might find themselves under other security policies which
block access to services deemed unnecessary. Running ssh on a
non-standard port is likely to be blocked on the client network - unless
you run on, say, port 80.
The more uses you have, the more problems you will have running ssh on a
non-standard port, the time you save checking your logs may easily be
spent on end user support.
OP referred to significant impact on bandwidth which I find difficult to
believe. In case connections come from a single ip at a time then you
should tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the
number of concurrent un-authenticate connections and slow down brute
force attacks.
Much better, restrict the client access to certain ranges of IPs. The
different registries publish ip ranges assigned per country and you can
create a list blocking countries you are certain not to visit, you can
use my script:
http://www.locolomo.org/pub/src/toolbox/inet.pl
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list