<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I have to second this suggestion - changing the port did wonders
for our servers. Of course, as Dan says, it works for script
kiddies, not so much against a determined attack on your server.</p>
<p>--Bruce<br>
</p>
<br>
<div class="moz-cite-prefix">On 06/12/2017 09:59 AM, Dan Garthwaite
wrote:<br>
</div>
<blockquote
cite="mid:CAGrNZ+kMo+Nsm3DY_rusKbT=YXjPCX+-riRtOeqFG1uAq9q3JQ@mail.gmail.com"
type="cite">
<div dir="ltr">If you can change the port number it does wonders
against the script kiddies.
<div><br>
</div>
<div>Just remember to add the new port, restart sshd, then
remove the old port. :)</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Jun 11, 2017 at 1:53 PM, Ted
Roche <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:tedroche@gmail.com" target="_blank">tedroche@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks,
all for the recommendations. I hadn't seen sshguard before;<br>
I'll give that a try.<br>
<br>
I do have Fail2Ban in place, and have customized a number of
scripts,<br>
mostly for Apache (trying to invoke asp scripts on my LAMP
server<br>
results in instaban, for example) and it is what it
reporting the ssh<br>
login failures.<br>
<br>
I have always seen them, in the 10 years I've had this
server running,<br>
but the frequency, periodicity and international variety
(usually<br>
they're all China, Russian, Romania) seemed like there might
be<br>
something else going on.<br>
<br>
Be careful out there.<br>
<div class="HOEnZb">
<div class="h5"><br>
On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a
moz-do-not-send="true"
href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a>>
wrote:<br>
> sshguard is really good since it'll drop in a
iptables rule to block an IP<br>
> address after a number of attemps (and prevent
knocking on other ports too).<br>
><br>
> Yubikey as 2FA is pretty nice too.<br>
><br>
> -------- Original message --------<br>
> From: Bruce Dawson <<a moz-do-not-send="true"
href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>><br>
> Date: 6/11/17 10:58 AM (GMT-05:00)<br>
> To: <a moz-do-not-send="true"
href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> Subject: Re: What's the strategy for bad guys
guessing a few ssh passwords?<br>
><br>
> sshguard takes care of most of them (especially the
high bandwidth ones).<br>
><br>
> The black hats don't care - they're looking for
vulnerable systems. If<br>
> they find one, they'll exploit it (or not).<br>
><br>
> Note that a while ago (more than a few years),
comcast used to probe<br>
> systems to see if they're vulnerable. Either they
don't do that any<br>
> more, or contract it out because I haven't see
probes from any of their<br>
> systems in years. This probably holds true for
other ISPs, and various<br>
> intelligence agencies in the world - both private
and public, not to<br>
> mention various disreputable enterprises.<br>
><br>
> --Bruce<br>
><br>
><br>
> On 06/11/2017 10:17 AM, Ted Roche wrote:<br>
>> For 36 hours now, one of my clients' servers
has been logging ssh<br>
>> login attempts from around the world, low
volume, persistent, but more<br>
>> frequent than usual. sshd is listening on a
non-standard port, just to<br>
>> minimize the garbage in the logs.<br>
>><br>
>> A couple of attempts is normal; we've seen that
for years. But this is<br>
>> several each hour, and each hour an IP from a
different country:<br>
>> Belgium, Korea, Switzerland, Bangladesh,
France, China, Germany,<br>
>> Dallas, Greece. Usernames vary: root, mythtv,
rheal, etc.<br>
>><br>
>> There's several levels of defense in use:
firewalls, intrusion<br>
>> detection, log monitoring, etc, so each script
gets a few guesses and<br>
>> the IP is then rejected.<br>
>><br>
>> In theory, the defenses should be sufficient,
but I have a concern<br>
>> that I'm missing their strategy here. It's not
a DDOS, they are very<br>
>> low volume. It will take them several millennia
to guess enough<br>
>> dictionary attack guesses to get through, so
what's the point?<br>
>><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a moz-do-not-send="true"
href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a moz-do-not-send="true"
href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/"
rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a moz-do-not-send="true"
href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a moz-do-not-send="true"
href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/"
rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
><br>
<br>
<br>
<br>
</div>
</div>
<span class="im HOEnZb">--<br>
Ted Roche<br>
Ted Roche & Associates, LLC<br>
<a moz-do-not-send="true" href="http://www.tedroche.com"
rel="noreferrer" target="_blank">http://www.tedroche.com</a><br>
</span>
<div class="HOEnZb">
<div class="h5">______________________________<wbr>_________________<br>
gnhlug-discuss mailing list<br>
<a moz-do-not-send="true"
href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
<a moz-do-not-send="true"
href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/"
rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<br>
</body>
</html>