<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 13, 2017 at 12:39 PM, Joshua Judson Rosen <span dir="ltr"><<a href="mailto:rozzin@hackerposse.com" target="_blank">rozzin@hackerposse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 06/12/2017 01:27 PM, Dan Coutu wrote:<br>
<span class="">>> On Jun 12, 2017, at 13:15, Tom Buskey <<a href="mailto:tom@buskey.name">tom@buskey.name</a> <mailto:<a href="mailto:tom@buskey.name">tom@buskey.name</a>>> wrote:<br>
>><br>
>> As Ted said in the 2nd sentence, it's running on a non-standard port. Yes, it helps lot to reduce garbage in the logs.<br>
><br>
</span></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">But adding liberal ignore rules into logcheck (or whatever) helps a lot with logspam ;)<br>
<br></blockquote><div>That's probably a better solution to deal with log spam.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
>> Maybe it's not non-standard enough?<br>
<br>
</span>Portscans are easy enough, especially using the new `horde of slow brutes'<br>
techniques from the 1990s.... I've always been impressed with how _few_<br>
of those I saw, and by the fact that moving services to nonstandard ports<br>
was as effective as it was at reducing the connection-attempts to those services.<br>
<br>
The whole "I have ssh on a secret port to secure it against attacks" thing<br>
has always seemed fundamentally bogus to me: the _premise_ of ssh itself is<br></blockquote><div><br></div><div>Yes, security by obscurity. Changing the port *is* like hiding the key under a rock instead of the doormat.</div><div><br></div><div>Removing the identification sent back is similar. I've configured a few web servers to not reply Apache version x.y.z on OS... Why make it easy to figure out the proper exploit for your server?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
that you're supposed to be able to assume that the network is in fact<br>
extremely hostile--more hostile than any network where<br>
`hiding in a non-standard port' could ever be useful.<br></blockquote><div><br></div><div>The only reason to put any service on a non-standard port is to force the attackers to spend resources finding it. In the days of botnets, they have infinite resources to find and attack it.</div><div><br></div><div>It does remove those attackers w/o resources from attacking your service. You could argue it's a layer to reduce the surface: you must have a port scanning tool to attack.</div><div><br></div><div><br></div><div><br></div><div>Having the port closed except when in use would reduce the attack surface. There's various ways to do this: open by time, only when another port is contacted, after port knocking, only certain sources.</div><div><br></div><div>Back in the modem days, I had used a system that would dial you up at your preregistered number after you called it from that number.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="im HOEnZb"><br>
<br>
>> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson <<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a> <mailto:<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>>> wrote:<br>
>><br>
>> I have to second this suggestion - changing the port did wonders for our servers. Of course, as Dan says, it works<br>
>> for script kiddies, not so much against a determined attack on your server.<br>
>><br>
>> --Bruce<br>
>><br>
>><br>
>> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:<br>
>>> If you can change the port number it does wonders against the script kiddies.<br>
>>><br>
>>> Just remember to add the new port, restart sshd, then remove the old port. :)<br>
>>><br>
</span><span class="im HOEnZb">>>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <<a href="mailto:tedroche@gmail.com">tedroche@gmail.com</a> <mailto:<a href="mailto:tedroche@gmail.com">tedroche@gmail.com</a>>> wrote:<br>
>>><br>
>>> Thanks, all for the recommendations. I hadn't seen sshguard before;<br>
>>> I'll give that a try.<br>
>>><br>
>>> I do have Fail2Ban in place, and have customized a number of scripts,<br>
>>> mostly for Apache (trying to invoke asp scripts on my LAMP server<br>
>>> results in instaban, for example) and it is what it reporting the ssh<br>
>>> login failures.<br>
>>><br>
>>> I have always seen them, in the 10 years I've had this server running,<br>
>>> but the frequency, periodicity and international variety (usually<br>
>>> they're all China, Russian, Romania) seemed like there might be<br>
>>> something else going on.<br>
>>><br>
>>> Be careful out there.<br>
>>><br>
</span><span class="im HOEnZb">>>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a> <mailto:<a href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a>><wbr>> wrote:<br>
>>> > sshguard is really good since it'll drop in a iptables rule to block an IP<br>
>>> > address after a number of attemps (and prevent knocking on other ports too).<br>
>>> ><br>
>>> > Yubikey as 2FA is pretty nice too.<br>
>>> ><br>
>>> > -------- Original message --------<br>
</span><span class="im HOEnZb">>>> > From: Bruce Dawson <<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a> <mailto:<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>>><br>
>>> > Date: 6/11/17 10:58 AM (GMT-05:00)<br>
</span><div class="HOEnZb"><div class="h5">>>> > To: <a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a> <mailto:<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.<wbr>gnhlug.org</a>><br>
>>> > Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?<br>
>>> ><br>
>>> > sshguard takes care of most of them (especially the high bandwidth ones).<br>
>>> ><br>
>>> > The black hats don't care - they're looking for vulnerable systems. If<br>
>>> > they find one, they'll exploit it (or not).<br>
>>> ><br>
>>> > Note that a while ago (more than a few years), comcast used to probe<br>
>>> > systems to see if they're vulnerable. Either they don't do that any<br>
>>> > more, or contract it out because I haven't see probes from any of their<br>
>>> > systems in years. This probably holds true for other ISPs, and various<br>
>>> > intelligence agencies in the world - both private and public, not to<br>
>>> > mention various disreputable enterprises.<br>
>>> ><br>
>>> > --Bruce<br>
>>> ><br>
>>> ><br>
>>> > On 06/11/2017 10:17 AM, Ted Roche wrote:<br>
>>> >> For 36 hours now, one of my clients' servers has been logging ssh<br>
>>> >> login attempts from around the world, low volume, persistent, but more<br>
>>> >> frequent than usual. sshd is listening on a non-standard port, just to<br>
>>> >> minimize the garbage in the logs.<br>
>>> >><br>
>>> >> A couple of attempts is normal; we've seen that for years. But this is<br>
>>> >> several each hour, and each hour an IP from a different country:<br>
>>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,<br>
>>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.<br>
>>> >><br>
>>> >> There's several levels of defense in use: firewalls, intrusion<br>
>>> >> detection, log monitoring, etc, so each script gets a few guesses and<br>
>>> >> the IP is then rejected.<br>
>>> >><br>
>>> >> In theory, the defenses should be sufficient, but I have a concern<br>
>>> >> that I'm missing their strategy here. It's not a DDOS, they are very<br>
>>> >> low volume. It will take them several millennia to guess enough<br>
>>> >> dictionary attack guesses to get through, so what's the point?<br>
</div></div></blockquote></div><br></div></div>