Brute-Force SSH Server Attacks Surge -- InformationWeek
Ben Scott
dragonhawk at gmail.com
Thu May 15 11:17:55 EDT 2008
On Thu, May 15, 2008 at 9:58 AM, kenta <kenta at guster.net> wrote:
> Bind ssh to two ports: 22 and a non standard port
> In my firewall rules I specifically allow certain IP's to connect to port
> 22.
One variant of that strategy is to run the real SSH on some
non-standard port, and then run a sentry on 22, so that anyone trying
to connect to 22 is automatically blacklisted.
For the truly paranoid, use port-knocking and a non-standard SSH
port. And, of course, monitor the firewall logs, so that anyone
probing other ports, or anyone probing the non-standard SSH port
without knocking first, gets blacklisted.
I'm content with running SSH on a non-standard port, and if at all
feasible, requiring public keys (no passwords). The non-standard port
seems to stop pretty all the stuff commonly found in the wild. (A
specifically targeted attack would use a port scan, of course, but
that would at least stand out in the logs.)
And, of course, if you're running Debian or Ubuntu, regenerate all
your keyspairs... :-(
-- Ben
More information about the gnhlug-discuss
mailing list