Breakin attempt
Michael Powell
nightrecon at hotmail.com
Sat Oct 22 14:54:49 UTC 2011
Polytropon wrote:
> On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
>> I suspect that these sorts of attacks are fairly normal if you're
>> running ssh on the standard port. I used to have lots of 'break-in
>> attempts' before I moved the ssh server to a different port.
>
> Is there _any_ reason why moving from port 22 to something
> different is _not_ a solution?
>
> Reason why I'm asking: Moving SSH away from its default port
> seems to be a relatively good solution as break-in attempts
> concentrate on default ports. So in case a sysadmin decides
> to move SSH to a "hidden" location, what could be an argument
> against this decision?
>
One such relatively minor argument might be the use by external entities for
the ability to connect in a standardized way. Such a client may need to
connect but has no way of knowing in advance what port to use. The only
readily available means for them to locate you might be DNS, with them only
knowing you by hostname.
I tend to discount this as they would still need some form of auth, whether
a user account/password combination or a certificate. In either case, this
needs to be configured in advance - so there's no reason a port number
couldn't be included when communicating how to login to the third party.
There is also some remote possibility that the third party has some internal
(albeit brain-dead) policy of mandating the use of some software that cannot
be configured to use a port other than 22. I would consider such a software
to be inherently 'broken by design', and not a good enough reason for me to
'break' my system just to make them happy. After all, aren't they the ones
who want to connect to me and shouldn't the responsibility be on them to do
it in accordance with what I have configured?
I restrict any SSH access to my systems to certificate only, with password
turned off. Only a trusted few will have these certificates, and these people
will know what port to use because I told them. Just changing the port to
some high number non well-known will not entirely stop a port scan if said
scan is walking up every single port one after another. But simply changing
it to something like 42347 works wonders for knocking down about 90% of
script-kiddies.
I just don't see SSH as the best tool for giving anonymous remote-access to
the general public of the IntarWebZ in general. If access is not anonymous
there must be some admin config done previous to the access. Providing
anonymous access via SSH sort of defeats the purpose for using SSH in the
first place. :-)
Just my $.02 - Mike
More information about the freebsd-questions
mailing list