Please Help! How to STOP them...
sg at sg.org.ua
Mon Jan 15 20:04:32 UTC 2007
On 15 янв. 2007, at 19:05, Oliver Fromme wrote:
> Gerard Seibert wrote:
>> Reko Turja wrote:
>>> Moving your sshd port somewhere else than 22 - the prepackaged
>>> "cracking" programs don't scan ports, just blindly try out the
>>> port - with determined/skilled attacker it's different matter
>> Security through Obscurity is not true security at all. You are
>> assuming that other ports are not being scanned.
> I don't think he's assuming that. He is just suggesting an
> effective solution to the problem that hundreds of failed
> login attempts are filling the OP's logs and cron mails.
> He didn't claim that it increases security.
> In fact, I would also recommend to move the ssh service
> from port 22 to a different, non-standard port if possible.
> If you want, you can even have the sshd daemon listen on
> _both_ port 22 _and_ your non-standard port 122, and limit
> access to port 22 to a few well-known IP addresses, using
> a packet filter. That way you diminish the usual "blind"
> attempts on port 22, but you can still login using the
> non-standard port if you happen to come from an unknown
> IP address, so you don't lock yourself out.
> Of course, it is important to understand that changing
> the port number will not significantly increase security.
> However, it might give you a slight advance when yet
> another ssh security bug is discovered and exploits start
> circulating while you're asleep. Usually the first
> exploits are quick and dirty hacks which have port 22
> hardcoded, and most script kiddies who blindly scan
> random networks don't have enough clue to change it. ;-)
> Of course, you still need to patch or update your sshd
> as quickly as possible if necessary, and you still need
> to use good passwords, or -- even better -- don't use
> passwords at all, but use key-based authentication.
> Another thing that might be useful are one-time passwords
> (OPIE), especially when you're connection from a foreign
> client such as a public terminal.
> Best regards
It is quite correct but too paranoic. You may consider trying to use
security/bruteblock or security/bruteforceblocker. These programs are
very easy to configure and give you notifications on ssh bruteforce
AIM-UANIC | AIM-RIPE +-----[ FreeBSD ]-----+
Alexander Mogilny | The Power to Serve! |
<> sg at sg.org.ua +---------------------+
More information about the freebsd-questions