<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Insisting on the use of an ssh key instead of login credentials also helps a lot.<div class=""><br class=""></div><div class="">Dan</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 12, 2017, at 13:15, Tom Buskey <<a href="mailto:tom@buskey.name" class="">tom@buskey.name</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">As Ted said in the 2nd sentence, it's running on a non-standard port. Yes, it helps lot to reduce garbage in the logs.<div class=""><br class=""></div><div class="">Maybe it's not non-standard enough?</div><div class=""><br class=""></div><div class="">sshguard looks interesting. Thanks!</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <span dir="ltr" class=""><<a href="mailto:jbd@codemeta.com" target="_blank" class="">jbd@codemeta.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class="">I have to second this suggestion - changing the port did wonders
for our servers. Of course, as Dan says, it works for script
kiddies, not so much against a determined attack on your server.</p><span class="HOEnZb"><font color="#888888" class=""><p class="">--Bruce<br class="">
</p></font></span><div class=""><div class="h5">
<br class="">
<div class="m_-418521647333471275moz-cite-prefix">On 06/12/2017 09:59 AM, Dan Garthwaite
wrote:<br class="">
</div>
<blockquote type="cite" class="">
<div dir="ltr" class="">If you can change the port number it does wonders
against the script kiddies.
<div class=""><br class="">
</div>
<div class="">Just remember to add the new port, restart sshd, then
remove the old port. :)</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sun, Jun 11, 2017 at 1:53 PM, Ted
Roche <span dir="ltr" class=""><<a href="mailto:tedroche@gmail.com" target="_blank" class="">tedroche@gmail.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks,
all for the recommendations. I hadn't seen sshguard before;<br class="">
I'll give that a try.<br class="">
<br class="">
I do have Fail2Ban in place, and have customized a number of
scripts,<br class="">
mostly for Apache (trying to invoke asp scripts on my LAMP
server<br class="">
results in instaban, for example) and it is what it
reporting the ssh<br class="">
login failures.<br class="">
<br class="">
I have always seen them, in the 10 years I've had this
server running,<br class="">
but the frequency, periodicity and international variety
(usually<br class="">
they're all China, Russian, Romania) seemed like there might
be<br class="">
something else going on.<br class="">
<br class="">
Be careful out there.<br class="">
<div class="m_-418521647333471275HOEnZb">
<div class="m_-418521647333471275h5"><br class="">
On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a href="mailto:mkomarinski@wayga.org" target="_blank" class="">mkomarinski@wayga.org</a>>
wrote:<br class="">
> sshguard is really good since it'll drop in a
iptables rule to block an IP<br class="">
> address after a number of attemps (and prevent
knocking on other ports too).<br class="">
><br class="">
> Yubikey as 2FA is pretty nice too.<br class="">
><br class="">
> -------- Original message --------<br class="">
> From: Bruce Dawson <<a href="mailto:jbd@codemeta.com" target="_blank" class="">jbd@codemeta.com</a>><br class="">
> Date: 6/11/17 10:58 AM (GMT-05:00)<br class="">
> To: <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">
> Subject: Re: What's the strategy for bad guys
guessing a few ssh passwords?<br class="">
><br class="">
> sshguard takes care of most of them (especially the
high bandwidth ones).<br class="">
><br class="">
> The black hats don't care - they're looking for
vulnerable systems. If<br class="">
> they find one, they'll exploit it (or not).<br class="">
><br class="">
> Note that a while ago (more than a few years),
comcast used to probe<br class="">
> systems to see if they're vulnerable. Either they
don't do that any<br class="">
> more, or contract it out because I haven't see
probes from any of their<br class="">
> systems in years. This probably holds true for
other ISPs, and various<br class="">
> intelligence agencies in the world - both private
and public, not to<br class="">
> mention various disreputable enterprises.<br class="">
><br class="">
> --Bruce<br class="">
><br class="">
><br class="">
> On 06/11/2017 10:17 AM, Ted Roche wrote:<br class="">
>> For 36 hours now, one of my clients' servers
has been logging ssh<br class="">
>> login attempts from around the world, low
volume, persistent, but more<br class="">
>> frequent than usual. sshd is listening on a
non-standard port, just to<br class="">
>> minimize the garbage in the logs.<br class="">
>><br class="">
>> A couple of attempts is normal; we've seen that
for years. But this is<br class="">
>> several each hour, and each hour an IP from a
different country:<br class="">
>> Belgium, Korea, Switzerland, Bangladesh,
France, China, Germany,<br class="">
>> Dallas, Greece. Usernames vary: root, mythtv,
rheal, etc.<br class="">
>><br class="">
>> There's several levels of defense in use:
firewalls, intrusion<br class="">
>> detection, log monitoring, etc, so each script
gets a few guesses and<br class="">
>> the IP is then rejected.<br class="">
>><br class="">
>> In theory, the defenses should be sufficient,
but I have a concern<br class="">
>> that I'm missing their strategy here. It's not
a DDOS, they are very<br class="">
>> low volume. It will take them several millennia
to guess enough<br class="">
>> dictionary attack guesses to get through, so
what's the point?<br class="">
>><br class="">
><br class="">
> ______________________________<wbr class="">_________________<br class="">
> gnhlug-discuss mailing list<br class="">
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank" class="">http://mail.gnhlug.org/mailman<wbr class="">/listinfo/gnhlug-discuss/</a><br class="">
><br class="">
> ______________________________<wbr class="">_________________<br class="">
> gnhlug-discuss mailing list<br class="">
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank" class="">http://mail.gnhlug.org/mailman<wbr class="">/listinfo/gnhlug-discuss/</a><br class="">
><br class="">
<br class="">
<br class="">
<br class="">
</div>
</div>
<span class="m_-418521647333471275im m_-418521647333471275HOEnZb">--<br class="">
Ted Roche<br class="">
Ted Roche & Associates, LLC<br class="">
<a href="http://www.tedroche.com/" rel="noreferrer" target="_blank" class="">http://www.tedroche.com</a><br class="">
</span>
<div class="m_-418521647333471275HOEnZb">
<div class="m_-418521647333471275h5">______________________________<wbr class="">_________________<br class="">
gnhlug-discuss mailing list<br class="">
<a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank" class="">http://mail.gnhlug.org/mailman<wbr class="">/listinfo/gnhlug-discuss/</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="m_-418521647333471275mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="">______________________________<wbr class="">_________________
gnhlug-discuss mailing list
<a class="m_-418521647333471275moz-txt-link-abbreviated" href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a>
<a class="m_-418521647333471275moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" target="_blank">http://mail.gnhlug.org/<wbr class="">mailman/listinfo/gnhlug-<wbr class="">discuss/</a>
</pre>
</blockquote>
<br class="">
</div></div></div>
<br class="">______________________________<wbr class="">_________________<br class="">
gnhlug-discuss mailing list<br class="">
<a href="mailto:gnhlug-discuss@mail.gnhlug.org" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank" class="">http://mail.gnhlug.org/<wbr class="">mailman/listinfo/gnhlug-<wbr class="">discuss/</a><br class="">
<br class=""></blockquote></div><br class=""></div>
_______________________________________________<br class="">gnhlug-discuss mailing list<br class=""><a href="mailto:gnhlug-discuss@mail.gnhlug.org" class="">gnhlug-discuss@mail.gnhlug.org</a><br class="">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/<br class=""></div></blockquote></div><br class=""></div></body></html>