Spike in SSH attacks
Dan Jenkins
dan at rastech.com
Mon Jun 21 21:07:54 EDT 2010
On 6/21/2010 8:42 PM, Bill Sconce wrote:
> On Mon, 21 Jun 2010 11:05:18 -0400
> Chip Marshall<chip at 2bithacker.net> wrote
>> On 21-Jun-2010, Bill Sconce<sconce at in-spec-inc.com> sent:
>>
>>> START WITH NEVER EXPOSING SSHD ON PORT 22.
>>>
>> You don't secure your house by hiding the door, you secure it by
>> having good locks.
>>
> I couldn't agree more. The idea is to cut down on the scratching
> and rattling noises as every script kiddie in Romania bashes on your
> door on the chance it might be unlatched. Noise is annoying; it's
> hard to see why anyone would recommend that you have to put up with
> it. (Nevertheless, if you like port 22, use port 22.)
>
> I hope I didn't give the impression that moving off port 22 is the
> only thing I recommend, or do.
>
When I had 26,000 SSH door rattlings, on one server, in one day, I moved
from port 22 on almost every device we administer. The logs were so full
of door rattlings, real warnings could get lost. I have never had
another SSH probe since. They really must be script kiddies - no port
scans to identify alternate SSH ports. As I can limit most SSH
connections to a limited pool of originating IPs, I do that too. If
possible, we only use SSH keys, no password logins. No root logins.
Protocol 2 only, etc. Of course, no remote access unless it is needed.
Like any security, the more layers the better.
--
Dan Jenkins, Rastech Inc., Bedford, NH, USA, 1-603-206-9951
*** Technical Support Excellence for four decades.
More information about the gnhlug-discuss
mailing list