<div dir="ltr">As Ted said in the 2nd sentence, it's running on a non-standard port. Yes, it helps lot to reduce garbage in the logs.<div><br></div><div>Maybe it's not non-standard enough?</div><div><br></div><div>sshguard looks interesting. Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <span dir="ltr"><<a href="mailto:jbd@codemeta.com" target="_blank">jbd@codemeta.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I have to second this suggestion - changing the port did wonders
for our servers. Of course, as Dan says, it works for script
kiddies, not so much against a determined attack on your server.</p><span class="HOEnZb"><font color="#888888">
<p>--Bruce<br>
</p></font></span><div><div class="h5">
<br>
<div class="m_-418521647333471275moz-cite-prefix">On 06/12/2017 09:59 AM, Dan Garthwaite
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you can change the port number it does wonders
against the script kiddies.
<div><br>
</div>
<div>Just remember to add the new port, restart sshd, then
remove the old port. :)</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Jun 11, 2017 at 1:53 PM, Ted
Roche <span dir="ltr"><<a href="mailto:tedroche@gmail.com" target="_blank">tedroche@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks,
all for the recommendations. I hadn't seen sshguard before;<br>
I'll give that a try.<br>
<br>
I do have Fail2Ban in place, and have customized a number of
scripts,<br>
mostly for Apache (trying to invoke asp scripts on my LAMP
server<br>
results in instaban, for example) and it is what it
reporting the ssh<br>
login failures.<br>
<br>
I have always seen them, in the 10 years I've had this
server running,<br>
but the frequency, periodicity and international variety
(usually<br>
they're all China, Russian, Romania) seemed like there might
be<br>
something else going on.<br>
<br>
Be careful out there.<br>
<div class="m_-418521647333471275HOEnZb">
<div class="m_-418521647333471275h5"><br>
On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a href="mailto:mkomarinski@wayga.org" target="_blank">mkomarinski@wayga.org</a>>
wrote:<br>
> sshguard is really good since it'll drop in a
iptables rule to block an IP<br>
> address after a number of attemps (and prevent
knocking on other ports too).<br>
><br>
> Yubikey as 2FA is pretty nice too.<br>
><br>
> -------- Original message --------<br>
> From: Bruce Dawson <<a href="mailto:jbd@codemeta.com" target="_blank">jbd@codemeta.com</a>><br>
> Date: 6/11/17 10:58 AM (GMT-05:00)<br>
> To: <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a><br>
> Subject: Re: What's the strategy for bad guys
guessing a few ssh passwords?<br>
><br>
> sshguard takes care of most of them (especially the
high bandwidth ones).<br>
><br>
> The black hats don't care - they're looking for
vulnerable systems. If<br>
> they find one, they'll exploit it (or not).<br>
><br>
> Note that a while ago (more than a few years),
comcast used to probe<br>
> systems to see if they're vulnerable. Either they
don't do that any<br>
> more, or contract it out because I haven't see
probes from any of their<br>
> systems in years. This probably holds true for
other ISPs, and various<br>
> intelligence agencies in the world - both private
and public, not to<br>
> mention various disreputable enterprises.<br>
><br>
> --Bruce<br>
><br>
><br>
> On 06/11/2017 10:17 AM, Ted Roche wrote:<br>
>> For 36 hours now, one of my clients' servers
has been logging ssh<br>
>> login attempts from around the world, low
volume, persistent, but more<br>
>> frequent than usual. sshd is listening on a
non-standard port, just to<br>
>> minimize the garbage in the logs.<br>
>><br>
>> A couple of attempts is normal; we've seen that
for years. But this is<br>
>> several each hour, and each hour an IP from a
different country:<br>
>> Belgium, Korea, Switzerland, Bangladesh,
France, China, Germany,<br>
>> Dallas, Greece. Usernames vary: root, mythtv,
rheal, etc.<br>
>><br>
>> There's several levels of defense in use:
firewalls, intrusion<br>
>> detection, log monitoring, etc, so each script
gets a few guesses and<br>
>> the IP is then rejected.<br>
>><br>
>> In theory, the defenses should be sufficient,
but I have a concern<br>
>> that I'm missing their strategy here. It's not
a DDOS, they are very<br>
>> low volume. It will take them several millennia
to guess enough<br>
>> dictionary attack guesses to get through, so
what's the point?<br>
>><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/mailman<wbr>/listinfo/gnhlug-discuss/</a><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/mailman<wbr>/listinfo/gnhlug-discuss/</a><br>
><br>
<br>
<br>
<br>
</div>
</div>
<span class="m_-418521647333471275im m_-418521647333471275HOEnZb">--<br>
Ted Roche<br>
Ted Roche & Associates, LLC<br>
<a href="http://www.tedroche.com" rel="noreferrer" target="_blank">http://www.tedroche.com</a><br>
</span>
<div class="m_-418521647333471275HOEnZb">
<div class="m_-418521647333471275h5">______________________________<wbr>_________________<br>
gnhlug-discuss mailing list<br>
<a href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a><br>
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/mailman<wbr>/listinfo/gnhlug-discuss/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_-418521647333471275mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
gnhlug-discuss mailing list
<a class="m_-418521647333471275moz-txt-link-abbreviated" href="mailto:gnhlug-discuss@mail.gnhlug.org" target="_blank">gnhlug-discuss@mail.gnhlug.org</a>
<a class="m_-418521647333471275moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
gnhlug-discuss mailing list<br>
<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
<br></blockquote></div><br></div>