Thousands of ssh probes
kingedgar at gmail.com
Mon Mar 8 17:56:09 UTC 2010
On Sun, Mar 7, 2010 at 16:48, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 07/03/10 21:41, dacoder wrote:
> has anybody suggested having sshd listen on a high port?
> Any number will do, think about it:
> a. The attacker doesn't really care which host is compromised any will do,
> and better yet someones home box as it is more difficult to trace him. In
> that case he will scan large ip-ranges for hosts listening on port 22.
> b. The attacker wants to gain control of a particular server. In that case
> he will scan all ports to see what services are running and determine which
> services are running on each port. In that case running ssh on a
> non-standard port is futile.
> However, I'm not really a fan of using non-standard ports for ssh, I don't
> believe it's the right solution to the problem: You have ssh access to the
> outside because people travel and need remote access. In that case they
> might find themselves under other security policies which block access to
> services deemed unnecessary. Running ssh on a non-standard port is likely to
> be blocked on the client network - unless you run on, say, port 80.
> The more uses you have, the more problems you will have running ssh on a
> non-standard port, the time you save checking your logs may easily be spent
> on end user support.
> OP referred to significant impact on bandwidth which I find difficult to
> believe. In case connections come from a single ip at a time then you should
> tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of
> concurrent un-authenticate connections and slow down brute force attacks.
> Much better, restrict the client access to certain ranges of IPs. The
> different registries publish ip ranges assigned per country and you can
> create a list blocking countries you are certain not to visit, you can use
> my script:
Great script! Just one question. Where do you put the list of denied ip
> BR, Erik
> Erik Nørgaard
> Ph: +34.666334818/+34.915211157 http://www.locolomo.org
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions