Increased abuse activity on my server
galtsev at kicp.uchicago.edu
Wed Mar 7 17:12:36 UTC 2018
On 03/07/18 10:43, Duane Whitty wrote:
> On 18-03-07 12:17 PM, Valeri Galtsev wrote:
>> On 03/07/18 08:20, William Dudley wrote:
>>> This may sound stupid and obvious, but I moved my ssh port to a high
>>> "random" port
>>> number, and that completely stopped the random attempts to ssh in. I know
>>> "security by obscurity" "doesn't work", but it did!
>> No it doesn't. One mostly fools oneself by seeing less symptoms, whereas
>> illness is still as bad as it was (if it was there that is). Sorry, it
>> looks like I'm in contradictive mood, still bear with me.
> Are the symptoms not diagnostic of the illness in this case or are you
> saying that there may be ssh login attempts that aren't being logged
> after being moved to a randomly selected port over 1024? That would
> seem unusual.
> Regarding ports over 1024 I agree it's true non-root users can open them
> but not sure what that is going to get an attacker. How does sshd
> listening on port 15391 etc make it more vulnerable than listening on
> port 22? Can you provide an example of an exploit?
I normally don't like to answer things when my original point that is
being discussed is edited away. I still will just reiterate here that if
you don't see any bad in using port above 1024, then it will take me
writing a book and having you read that which is impractical. We'll see
if someone chimes in. And by no means I intended to state some bad
practice on its own creates "and exploit". Still sysadmins stick to good
practices, you should be able to tell yourself why.
> Also, I don't recall the OP mentioning anything about having many users
> ssh'ing in. Perhaps the OP is the only user that logs in for
> administrative purposes.
> Also, perhaps he already doesn't allow root logins from the Internet, he
> hasn't said and we haven't asked.
> Does moving sshd to a high port number make you all that more secure?
> No not really but it does avoid a lot of log activity and makes seeing
> real attacks easier. Combine that with sensible host and firewall
> policies and a large majority of attackers just aren't going to bother
> because it will be so much easier for them to attack someone else and
> have a higher probability of attack.
> You do make some good points though that administrators should consider
> when implementing systems security.
Thank you. I am just repeating what I learned, and a lot of it comes
from clever people one lists like this one. They are to be credited, not
> Best Regards,
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
More information about the freebsd-questions