What's the strategy for bad guys guessing a few ssh passwords?

Tom Buskey tom at buskey.name
Tue Jun 13 12:56:15 EDT 2017 

On Tue, Jun 13, 2017 at 12:39 PM, Joshua Judson Rosen <
rozzin at hackerposse.com> wrote:

> On 06/12/2017 01:27 PM, Dan Coutu wrote:
> >> On Jun 12, 2017, at 13:15, Tom Buskey <tom at buskey.name <mailto:
> tom at buskey.name>> wrote:
> >>
> >> As Ted said in the 2nd sentence, it's running on a non-standard port.
> Yes, it helps lot to reduce garbage in the logs.
> >
>
But adding liberal ignore rules into logcheck (or whatever) helps a lot
> with logspam ;)
>
> That's probably a better solution to deal with log spam.


>
> >> Maybe it's not non-standard enough?
>
> Portscans are easy enough, especially using the new `horde of slow brutes'
> techniques from the 1990s.... I've always been impressed with how _few_
> of those I saw, and by the fact that moving services to nonstandard ports
> was as effective as it was at reducing the connection-attempts to those
> services.
>
> The whole "I have ssh on a secret port to secure it against attacks" thing
> has always seemed fundamentally bogus to me: the _premise_ of ssh itself is
>

Yes, security by obscurity.  Changing the port *is* like hiding the key
under a rock instead of the doormat.

Removing the identification sent back is similar.  I've configured a few
web servers to not reply Apache version x.y.z on OS...  Why make it easy to
figure out the proper exploit for your server?


> that you're supposed to be able to assume that the network is in fact
> extremely hostile--more hostile than any network where
> `hiding in a non-standard port' could ever be useful.
>

The only reason to put any service on a non-standard port is to force the
attackers to spend resources finding it.  In the days of botnets, they have
infinite resources to find and attack it.

It does remove those attackers w/o resources from attacking your service.
You could argue it's a layer to reduce the surface: you must have a port
scanning tool to attack.



Having the port closed except when in use would reduce the attack surface.
There's various ways to do this: open by time, only when another port is
contacted, after port knocking, only certain sources.

Back in the modem days, I had used a system that would dial you up at your
preregistered number after you called it from that number.



>
>
> >> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <jbd at codemeta.com
> <mailto:jbd at codemeta.com>> wrote:
> >>
> >>     I have to second this suggestion - changing the port did wonders
> for our servers. Of course, as Dan says, it works
> >>     for script kiddies, not so much against a determined attack on your
> server.
> >>
> >>     --Bruce
> >>
> >>
> >>     On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
> >>>     If you can change the port number it does wonders against the
> script kiddies.
> >>>
> >>>     Just remember to add the new port, restart sshd, then remove the
> old port.  :)
> >>>
> >>>     On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedroche at gmail.com
> <mailto:tedroche at gmail.com>> wrote:
> >>>
> >>>         Thanks, all for the recommendations. I hadn't seen sshguard
> before;
> >>>         I'll give that a try.
> >>>
> >>>         I do have Fail2Ban in place, and have customized a number of
> scripts,
> >>>         mostly for Apache (trying to invoke asp scripts on my LAMP
> server
> >>>         results in instaban, for example) and it is what it reporting
> the ssh
> >>>         login failures.
> >>>
> >>>         I have always seen them, in the 10 years I've had this server
> running,
> >>>         but the frequency, periodicity and international variety
> (usually
> >>>         they're all China, Russian, Romania) seemed like there might be
> >>>         something else going on.
> >>>
> >>>         Be careful out there.
> >>>
> >>>         On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <
> mkomarinski at wayga.org <mailto:mkomarinski at wayga.org>> wrote:
> >>>         > sshguard is really good since it'll drop in a iptables rule
> to block an IP
> >>>         > address after a number of attemps (and prevent knocking on
> other ports too).
> >>>         >
> >>>         > Yubikey as 2FA is pretty nice too.
> >>>         >
> >>>         > -------- Original message --------
> >>>         > From: Bruce Dawson <jbd at codemeta.com <mailto:
> jbd at codemeta.com>>
> >>>         > Date: 6/11/17 10:58 AM (GMT-05:00)
> >>>         > To: gnhlug-discuss at mail.gnhlug.org <mailto:
> gnhlug-discuss at mail.gnhlug.org>
> >>>         > Subject: Re: What's the strategy for bad guys guessing a few
> ssh passwords?
> >>>         >
> >>>         > sshguard takes care of most of them (especially the high
> bandwidth ones).
> >>>         >
> >>>         > The black hats don't care - they're looking for vulnerable
> systems. If
> >>>         > they find one, they'll exploit it (or not).
> >>>         >
> >>>         > Note that a while ago (more than a few years), comcast used
> to probe
> >>>         > systems to see if they're vulnerable. Either they don't do
> that any
> >>>         > more, or contract it out because I haven't see probes from
> any of their
> >>>         > systems in years. This probably holds true for other ISPs,
> and various
> >>>         > intelligence agencies in the world - both private and
> public, not to
> >>>         > mention various disreputable enterprises.
> >>>         >
> >>>         > --Bruce
> >>>         >
> >>>         >
> >>>         > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >>>         >> For 36 hours now, one of my clients' servers has been
> logging ssh
> >>>         >> login attempts from around the world, low volume,
> persistent, but more
> >>>         >> frequent than usual. sshd is listening on a non-standard
> port, just to
> >>>         >> minimize the garbage in the logs.
> >>>         >>
> >>>         >> A couple of attempts is normal; we've seen that for years.
> But this is
> >>>         >> several each  hour, and each hour an IP from a different
> country:
> >>>         >> Belgium, Korea, Switzerland, Bangladesh, France, China,
> Germany,
> >>>         >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>>         >>
> >>>         >> There's several levels of defense in use: firewalls,
> intrusion
> >>>         >> detection, log monitoring, etc, so each script gets a few
> guesses and
> >>>         >> the IP is then rejected.
> >>>         >>
> >>>         >> In theory, the defenses should be sufficient, but I have a
> concern
> >>>         >> that I'm missing their strategy here. It's not a DDOS, they
> are very
> >>>         >> low volume. It will take them several millennia to guess
> enough
> >>>         >> dictionary attack guesses to get through, so what's the
> point?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170613/48b19ad1/attachment.html

More information about the gnhlug-discuss mailing list