[Cialug] denyhosts logging LOTS of attacks

Dave Crouse crouse at usalug.net
Tue May 13 12:44:55 CDT 2008


I don't know about that, security through obscurity, maybe a bit, but still
HIGHLY effective........

zero vs 100,000 ;)

QUOTE:
"We also note that all three honeypots used in this study ran a second SSH
server on a high port, which was used for maintenance and control purposes.
No malicious login attempts directed at the servers running on these ports
were observed during the same period that over 100,000 attacks were observed
on the default SSH port. Asking legitimate users to remember the
non-standard port can be a small inconvenience."
SOURCE: http://people.clarkson.edu/~owensjp/pubs/leet08.pdf

There are of course many ways to secure ssh more securely than the default
settings.  Disabling root login is always #1 on my list  :) Changing the
port number is always #2.  Setting allowed users and number of logins and
allowed IP's help as well.

Dave Crouse




On Tue, May 13, 2008 at 12:22 PM, Josh More <morej at alliancetechnologies.net>
wrote:

> True, but it doesn't improve security, it just reduces the number of
> random stumblers.
>
> I suggest disabling remote SSH login for root and locking down SSH to
> version 2 and key-based access only.  I also run DenyHosts to limit the
> traffic.
>
>
>
> -Josh More, RHCE, CISSP, NCLP, GIAC
>  morej at alliancetechnologies.net
>  515-245-7701
>
> >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:16 PM >>>
> I never run ssh on the standard port 22 anymore..... changing the port
> number alone will significantly reduce the number of logged attacks.
>
> Dave Crouse
>
>
>
>
> On Tue, May 13, 2008 at 11:49 AM, Kendall Bailey <krbailey at gmail.com>
> wrote:
>
> > I run an SSH server on port 22 as my only public service.  I run the
> > denyhosts daemon to protect against dictionary attacks and lock down
> > SSH pretty thoroughly in other regards, but still allow connection
> > from any host otherwise.  The last few days I've seen hundreds of
> > hosts logged by denyhosts.  Anyone know why random dictionary attacks
> > might be spiking?  Is it widespread?  I'm considering closing that
> > port for a while.
> >
> > Thanks.
> > Kendall
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20080513/617ddbb8/attachment.htm


More information about the Cialug mailing list