What's the strategy for bad guys guessing a few ssh passwords?

Dan Coutu coutu at snowy-owl.com
Mon Jun 12 13:27:32 EDT 2017 

Insisting on the use of an ssh key instead of login credentials also helps a lot.

Dan

> On Jun 12, 2017, at 13:15, Tom Buskey <tom at buskey.name> wrote:
> 
> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes, it helps lot to reduce garbage in the logs.
> 
> Maybe it's not non-standard enough?
> 
> sshguard looks interesting.  Thanks!
> 
> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <jbd at codemeta.com <mailto:jbd at codemeta.com>> wrote:
> I have to second this suggestion - changing the port did wonders for our servers. Of course, as Dan says, it works for script kiddies, not so much against a determined attack on your server.
> 
> --Bruce
> 
> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>> If you can change the port number it does wonders against the script kiddies.
>> 
>> Just remember to add the new port, restart sshd, then remove the old port.  :)
>> 
>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedroche at gmail.com <mailto:tedroche at gmail.com>> wrote:
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>> 
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>> 
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>> 
>> Be careful out there.
>> 
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <mkomarinski at wayga.org <mailto:mkomarinski at wayga.org>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an IP
>> > address after a number of attemps (and prevent knocking on other ports too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> > -------- Original message --------
>> > From: Bruce Dawson <jbd at codemeta.com <mailto:jbd at codemeta.com>>
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > _______________________________________________
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>> >
>> > _______________________________________________
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>> >
>> 
>> 
>> 
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com <http://www.tedroche.com/>
>> _______________________________________________
>> gnhlug-discuss mailing list
>> gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>> 
>> 
>> 
>> _______________________________________________
>> gnhlug-discuss mailing list
>> gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
> 
> 
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org <mailto:gnhlug-discuss at mail.gnhlug.org>
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ <http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
> 
> 
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170612/75b7a88a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
Url : http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170612/75b7a88a/attachment-0001.bin

More information about the gnhlug-discuss mailing list