Spike in SSH attacks
Tom Buskey
tom at buskey.name
Mon Jun 21 11:14:50 EDT 2010
On Mon, Jun 21, 2010 at 11:05 AM, Chip Marshall <chip at 2bithacker.net> wrote:
> On 21-Jun-2010, Bill Sconce <sconce at in-spec-inc.com> sent:
>> START WITH NEVER EXPOSING SSHD ON PORT 22.
>
> http://en.wikipedia.org/wiki/Security_through_obscurity
>
> Personally, I think this is a flawed approach to securing a machine. It
I don't think anyone here is advocating a different port to improve
security. It's to get out of the way of script kiddies.
> only serves to encorage full port scans of machines, which wastes even
> more bandwidth.
That might happen, but I don't think full scans of random systems has
happened yet.
This is an attack on random machines. A targeted machine will
probably get a full scan.
> Sure, my logs have a lot of failed login attempts, but failed login
> attempts mean my security is working. It's the successful ones you need
> to watch out for.
I'll get alert in my logs if SSH is scanned no matter which ports it
is on. If I need it tested, I'll scan it myself. I won't lose that
alert amongst a haystack of automated attacks though.
>
> You don't secure your house by hiding the door, you secure it by
> having good locks.
If someone looks at your house quickly to break in, they might see
there are no doors out back and quickly move on to the next house that
has a back door. Maybe your door is more hidden and you have good
locks anyways.
This was the mentality for having "The Club" highly visible in your
car. Which would be good if the Club wasn't so useful as a prybar and
easy to defeat otherwise.
More information about the gnhlug-discuss
mailing list