<div dir="ltr">There is no security in obscurity - what changing the port offers is orders of magnitude less noise in the logs. If you or your tools never look at the logs than it understandably doesn't matter one whit to you. However if you are trying to keep on top of things with log analyzers, OSSEC, elasticsearch, etc, it is on the MUST DO list.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 13, 2017 at 12:39 PM, Joshua Judson Rosen <span dir="ltr"><<a href="mailto:rozzin@hackerposse.com" target="_blank">rozzin@hackerposse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 06/12/2017 01:27 PM, Dan Coutu wrote:<br>
<span class="">>> On Jun 12, 2017, at 13:15, Tom Buskey <<a href="mailto:tom@buskey.name">tom@buskey.name</a> <mailto:<a href="mailto:tom@buskey.name">tom@buskey.name</a>>> wrote:<br>
>><br>
>> As Ted said in the 2nd sentence, it's running on a non-standard port. Yes, it helps lot to reduce garbage in the logs.<br>
><br>
</span><span class="">> Insisting on the use of an ssh key instead of login credentials also helps a lot.<br>
<br>
</span>Helps with the security, anyway; and not blacklisting based on source-address<br>
means that you'll never be locked out of your own server just because<br>
some machine at the hotel where you're staying is (or has been) part of<br>
the communist party^W^W^W a botnet.<br>
<br>
*Doesn't* help cut down on logspam. ;)<br>
<br>
But adding liberal ignore rules into logcheck (or whatever) helps a lot with logspam ;)<br>
<br>
I don't care about the probes of nonexistent accounts, for example;<br>
I just care about attempts on accounts that someone/something might actually<br>
be able to log into if they somehow got a compromised key;<br>
so I ignore attempts on nonexistent logins--and many usernames that do exist<br>
but aren't able to _log in_, and I explicitly monitor for things like attempts<br>
on my own specific username....<br>
<span class=""><br>
>> Maybe it's not non-standard enough?<br>
<br>
</span>Portscans are easy enough, especially using the new `horde of slow brutes'<br>
techniques from the 1990s.... I've always been impressed with how _few_<br>
of those I saw, and by the fact that moving services to nonstandard ports<br>
was as effective as it was at reducing the connection-attempts to those services.<br>
<br>
The whole "I have ssh on a secret port to secure it against attacks" thing<br>
has always seemed fundamentally bogus to me: the _premise_ of ssh itself is<br>
that you're supposed to be able to assume that the network is in fact<br>
extremely hostile--more hostile than any network where<br>
`hiding in a non-standard port' could ever be useful.<br>
<span class="im HOEnZb"><br>
<br>
>> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a> <mailto:<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>>> wrote:<br>
>><br>
>> I have to second this suggestion - changing the port did wonders for our servers. Of course, as Dan says, it works<br>
>> for script kiddies, not so much against a determined attack on your server.<br>
>><br>
>> --Bruce<br>
>><br>
>><br>
>> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:<br>
>>> If you can change the port number it does wonders against the script kiddies.<br>
>>><br>
>>> Just remember to add the new port, restart sshd, then remove the old port. :)<br>
>>><br>
</span><span class="im HOEnZb">>>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <<a href="mailto:tedroche@gmail.com">tedroche@gmail.com</a> <mailto:<a href="mailto:tedroche@gmail.com">tedroche@gmail.com</a>>> wrote:<br>
>>><br>
>>> Thanks, all for the recommendations. I hadn't seen sshguard before;<br>
>>> I'll give that a try.<br>
>>><br>
>>> I do have Fail2Ban in place, and have customized a number of scripts,<br>
>>> mostly for Apache (trying to invoke asp scripts on my LAMP server<br>
>>> results in instaban, for example) and it is what it reporting the ssh<br>
>>> login failures.<br>
>>><br>
>>> I have always seen them, in the 10 years I've had this server running,<br>
>>> but the frequency, periodicity and international variety (usually<br>
>>> they're all China, Russian, Romania) seemed like there might be<br>
>>> something else going on.<br>
>>><br>
>>> Be careful out there.<br>
>>><br>
</span><span class="im HOEnZb">>>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a> <mailto:<a href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a>><wbr>> wrote:<br>
>>> > sshguard is really good since it'll drop in a iptables rule to block an IP<br>
>>> > address after a number of attemps (and prevent knocking on other ports too).<br>
>>> ><br>
>>> > Yubikey as 2FA is pretty nice too.<br>
>>> ><br>
>>> > -------- Original message --------<br>
</span><span class="im HOEnZb">>>> > From: Bruce Dawson <<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a> <mailto:<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>>><br>
>>> > Date: 6/11/17 10:58 AM (GMT-05:00)<br>
</span><div class="HOEnZb"><div class="h5">>>> > To: <a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a> <mailto:<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.<wbr>gnhlug.org</a>><br>
>>> > Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?<br>
>>> ><br>
>>> > sshguard takes care of most of them (especially the high bandwidth ones).<br>
>>> ><br>
>>> > The black hats don't care - they're looking for vulnerable systems. If<br>
>>> > they find one, they'll exploit it (or not).<br>
>>> ><br>
>>> > Note that a while ago (more than a few years), comcast used to probe<br>
>>> > systems to see if they're vulnerable. Either they don't do that any<br>
>>> > more, or contract it out because I haven't see probes from any of their<br>
>>> > systems in years. This probably holds true for other ISPs, and various<br>
>>> > intelligence agencies in the world - both private and public, not to<br>
>>> > mention various disreputable enterprises.<br>
>>> ><br>
>>> > --Bruce<br>
>>> ><br>
>>> ><br>
>>> > On 06/11/2017 10:17 AM, Ted Roche wrote:<br>
>>> >> For 36 hours now, one of my clients' servers has been logging ssh<br>
>>> >> login attempts from around the world, low volume, persistent, but more<br>
>>> >> frequent than usual. sshd is listening on a non-standard port, just to<br>
>>> >> minimize the garbage in the logs.<br>
>>> >><br>
>>> >> A couple of attempts is normal; we've seen that for years. But this is<br>
>>> >> several each hour, and each hour an IP from a different country:<br>
>>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,<br>
>>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.<br>
>>> >><br>
>>> >> There's several levels of defense in use: firewalls, intrusion<br>
>>> >> detection, log monitoring, etc, so each script gets a few guesses and<br>
>>> >> the IP is then rejected.<br>
>>> >><br>
>>> >> In theory, the defenses should be sufficient, but I have a concern<br>
>>> >> that I'm missing their strategy here. It's not a DDOS, they are very<br>
>>> >> low volume. It will take them several millennia to guess enough<br>
>>> >> dictionary attack guesses to get through, so what's the point?<br>
______________________________<wbr>_________________<br>
gnhlug-discuss mailing list<br>
<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
</div></div></blockquote></div><br></div>