[ale] ssh brute-force

Lightner, Jeff JLightner at water.com
Mon Feb 17 08:51:59 EST 2014


The reason why changing the port drops hits to near zero even if someone is doing a port scan is that the port scan doesn't tell them the port is ssh - just that it is open.   Of course doing a telnet to an open port might reveal that..

The fail2ban idea is a good one.  So is using the high number but you CAN do nmap for high numbers - most people just don't.  Security is all about hardening so the bad guys move on to easier targets.  Nothing is really going to stop the determined folks specifically targeting you but it will keep out most of the hit and run types and script kiddies.





-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Chuck Payne
Sent: Sunday, February 16, 2014 5:23 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] ssh brute-force

At one of my jobs they used ssh keys and move the port to 20000 something, at first I wonder why, but now it makes a lot of sense.
Specially the keys. If you are going to leave it on port 22, set yourself up with ssh-keys and anyone less that use it.  You turn off password in ssh were it will only use the keys.



On Sun, Feb 16, 2014 at 4:34 PM, Wolf Halton <wolf.halton at gmail.com> wrote:
> Unless you are being specifically, there are about 60,000 ports that
> aren't scanned by tools in default mode.  High numbers without
> registered services will get almost zero hits.
>
> On Feb 16, 2014 3:45 PM, "John Heim" <john at johnheim.com> wrote:
>>
>>
>>
>> My experience is that changing the port reduces the random  attempts
>> to near zero. But if someone specifically targets you, it doesn't help.
>>
>> Hackersprobably aren't doing port scans of your server. They are
>> probably scanning your network for machines with port 22 open.
>>
>> On 02/16/14 13:20, Edward Holcroft wrote:
>>>
>>> All,
>>>
>>> I have a server that I had to open to the world for ssh. It's
>>> getting a lot of brute-force hits, although I've managed to bring it
>>> down to an "acceptable" level by using a suitable level of paranoia in denyhosts.
>>> Obviously I'd rather not have these hits at all.
>>>
>>> I often hear the suggestion made that I should be using a
>>> non-standard port for ssh to reduce such attacks. I wonder though
>>> what the real value of this would be, since would a portscan not
>>> reveal the open port to would-be hackers anyway?
>>>
>>> I've heard it said that unwanted ssh hits have been reduced to zero
>>> by changing the port from 22 to something else. Of course I can test
>>> the hypothesis by simply changing the port, but I'd like to hear
>>> some opinions on this question before doing so.
>>>
>>> ed
>>>
>>> --
>>> Edward Holcroft | Madsen Kneppers & Associates Inc.
>>> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097 O (770)
>>> 446-9606 | M (770) 630-0949
>>>
>>> MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc.
>>> WARNING/CONFIDENTIALITY NOTICE: This message may be confidential
>>> and/or privileged. If you are not the intended recipient, please
>>> notify the sender immediately then delete it - you should not copy
>>> or use it for any purpose or disclose its content to any other
>>> person. Internet communications are not secure. You should scan this
>>> message and any attachments for viruses. Any unauthorized use or
>>> interception of this e-mail is illegal.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



--
Terror PUP a.k.a
Chuck "PUP" Payne

(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- en.opensuse.org/User:Terrorpup openSUSE Ambassador/openSUSE Member Community Manager -- Southeast Linux Foundation (SELF) skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to package and distribute , or create your own linux distro. Give SUSE Studio a try. www.susestudio.com.
See you at Southeast Linux Fest, June 7-9, 2013 in Charlotte, NC.
www.southeastlinuxfest.org
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------




More information about the Ale mailing list