What's the strategy for bad guys guessing a few ssh passwords?

Bruce Dawson jbd at codemeta.com
Mon Jun 12 12:42:33 EDT 2017 

I have to second this suggestion - changing the port did wonders for our 
servers. Of course, as Dan says, it works for script kiddies, not so 
much against a determined attack on your server.

--Bruce


On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
> If you can change the port number it does wonders against the script 
> kiddies.
>
> Just remember to add the new port, restart sshd, then remove the old 
> port.  :)
>
> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedroche at gmail.com 
> <mailto:tedroche at gmail.com>> wrote:
>
>     Thanks, all for the recommendations. I hadn't seen sshguard before;
>     I'll give that a try.
>
>     I do have Fail2Ban in place, and have customized a number of scripts,
>     mostly for Apache (trying to invoke asp scripts on my LAMP server
>     results in instaban, for example) and it is what it reporting the ssh
>     login failures.
>
>     I have always seen them, in the 10 years I've had this server running,
>     but the frequency, periodicity and international variety (usually
>     they're all China, Russian, Romania) seemed like there might be
>     something else going on.
>
>     Be careful out there.
>
>     On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski
>     <mkomarinski at wayga.org <mailto:mkomarinski at wayga.org>> wrote:
>     > sshguard is really good since it'll drop in a iptables rule to
>     block an IP
>     > address after a number of attemps (and prevent knocking on other
>     ports too).
>     >
>     > Yubikey as 2FA is pretty nice too.
>     >
>     > -------- Original message --------
>     > From: Bruce Dawson <jbd at codemeta.com <mailto:jbd at codemeta.com>>
>     > Date: 6/11/17 10:58 AM (GMT-05:00)
>     > To: gnhlug-discuss at mail.gnhlug.org
>     <mailto:gnhlug-discuss at mail.gnhlug.org>
>     > Subject: Re: What's the strategy for bad guys guessing a few ssh
>     passwords?
>     >
>     > sshguard takes care of most of them (especially the high
>     bandwidth ones).
>     >
>     > The black hats don't care - they're looking for vulnerable
>     systems. If
>     > they find one, they'll exploit it (or not).
>     >
>     > Note that a while ago (more than a few years), comcast used to probe
>     > systems to see if they're vulnerable. Either they don't do that any
>     > more, or contract it out because I haven't see probes from any
>     of their
>     > systems in years. This probably holds true for other ISPs, and
>     various
>     > intelligence agencies in the world - both private and public, not to
>     > mention various disreputable enterprises.
>     >
>     > --Bruce
>     >
>     >
>     > On 06/11/2017 10:17 AM, Ted Roche wrote:
>     >> For 36 hours now, one of my clients' servers has been logging ssh
>     >> login attempts from around the world, low volume, persistent,
>     but more
>     >> frequent than usual. sshd is listening on a non-standard port,
>     just to
>     >> minimize the garbage in the logs.
>     >>
>     >> A couple of attempts is normal; we've seen that for years. But
>     this is
>     >> several each  hour, and each hour an IP from a different country:
>     >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>     >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>     >>
>     >> There's several levels of defense in use: firewalls, intrusion
>     >> detection, log monitoring, etc, so each script gets a few
>     guesses and
>     >> the IP is then rejected.
>     >>
>     >> In theory, the defenses should be sufficient, but I have a concern
>     >> that I'm missing their strategy here. It's not a DDOS, they are
>     very
>     >> low volume. It will take them several millennia to guess enough
>     >> dictionary attack guesses to get through, so what's the point?
>     >>
>     >
>     > _______________________________________________
>     > gnhlug-discuss mailing list
>     > gnhlug-discuss at mail.gnhlug.org
>     <mailto:gnhlug-discuss at mail.gnhlug.org>
>     > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>     <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>     >
>     > _______________________________________________
>     > gnhlug-discuss mailing list
>     > gnhlug-discuss at mail.gnhlug.org
>     <mailto:gnhlug-discuss at mail.gnhlug.org>
>     > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>     <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>     >
>
>
>
>     --
>     Ted Roche
>     Ted Roche & Associates, LLC
>     http://www.tedroche.com
>     _______________________________________________
>     gnhlug-discuss mailing list
>     gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>     http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>     <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>
>
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170612/5b9a9f1b/attachment.html

More information about the gnhlug-discuss mailing list