Spike in SSH attacks

Bill Sconce sconce at in-spec-inc.com
Mon Jun 21 20:42:25 EDT 2010


On Mon, 21 Jun 2010 11:05:18 -0400
Chip Marshall <chip at 2bithacker.net> wrote:

> On 21-Jun-2010, Bill Sconce <sconce at in-spec-inc.com> sent:
> > START WITH NEVER EXPOSING SSHD ON PORT 22.
>
> You don't secure your house by hiding the door, you secure it by
> having good locks.

I couldn't agree more.  The idea is to cut down on the scratching
and rattling noises as every script kiddie in Romania bashes on your
door on the chance it might be unlatched.  Noise is annoying; it's
hard to see why anyone would recommend that you have to put up with
it.  (Nevertheless, if you like port 22, use port 22.)

I hope I didn't give the impression that moving off port 22 is the
only thing I recommend, or do.  On the contrary, I spent solid weeks
(documented in changelogs) several years ago researching all the SSH
options, determining the sshd configurations I believe to be correct
for my clients(*), and  writing a Python program to parse the
applicable manpage (options and defaults change!), QA the available
(many) options, and produce a recommended sshd_config together with
a checklist and a set of annotations for manual review.  'Been doing
that for years now, for every sshd I set up.

> > "START" with port 22...

-Bill


(*) I found it interesting that, when I saw this thread, that

  a) when I went to ensure that my Python program disallows
     "keyboard interactive", I found that it does so, and has done
     so since the beginning

  b) I wasn't able to remember what "keyboard interactive" means,
     in spite of having known it a couple of years ago, or whether
     it's in my set of deprecated settings, and had to look it up
     again.

(Hmm.  Is SSH too complicated?  Y'think?)


More information about the gnhlug-discuss mailing list