Increased abuse activity on my server

Valeri Galtsev galtsev at kicp.uchicago.edu
Wed Mar 7 17:12:36 UTC 2018 


On 03/07/18 10:43, Duane Whitty wrote:
> On 18-03-07 12:17 PM, Valeri Galtsev wrote:
>>
>>
>> On 03/07/18 08:20, William Dudley wrote:
>>> This may sound stupid and obvious, but I moved my ssh port to a high
>>> "random" port
>>> number, and that completely stopped the random attempts to ssh in.  I know
>>> that
>>> "security by obscurity" "doesn't work", but it did!
>>
>> No it doesn't. One mostly fools oneself by seeing less symptoms, whereas
>> illness is still as bad as it was (if it was there that is). Sorry, it
>> looks like I'm in contradictive mood, still bear with me.
>>
> 
> Are the symptoms not diagnostic of the illness in this case or are you
> saying that there may be ssh login attempts that aren't being logged
> after being moved to a randomly selected port over 1024?  That would
> seem unusual.
> 
> Regarding ports over 1024 I agree it's true non-root users can open them
> but not sure what that is going to get an attacker.  How does sshd
> listening on port 15391 etc make it more vulnerable than listening on
> port 22?  Can you provide an example of an exploit?

I normally don't like to answer things when my original point that is 
being discussed is edited away. I still will just reiterate here that if 
you don't see any bad in using port above 1024, then it will take me 
writing a book and having you read that which is impractical. We'll see 
if someone chimes in. And by no means I intended to state some bad 
practice on its own creates "and exploit". Still sysadmins stick to good 
practices, you should be able to tell yourself why.

> 
> Also, I don't recall the OP mentioning anything about having many users
> ssh'ing in.  Perhaps the OP is the only user that logs in for
> administrative purposes.
> 
> Also, perhaps he already doesn't allow root logins from the Internet, he
> hasn't said and we haven't asked.
> 
> Does moving sshd to a high port number make you all that more secure?
> No not really but it does avoid a lot of log activity and makes seeing
> real attacks easier.  Combine that with sensible host and firewall
> policies and a large majority of attackers just aren't going to bother
> because it will be so much easier for them to attack someone else and
> have a higher probability of attack.
> 
> You do make some good points though that administrators should consider
> when implementing systems security.
> 

Thank you. I am just repeating what I learned, and a lot of it comes 
from clever people one lists like this one. They are to be credited, not 
I ;-)

Valeri

> 
> Best Regards,
> Duane
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list