[Cialug] denyhosts logging LOTS of attacks
Josh More
morej at alliancetechnologies.net
Tue May 13 12:53:42 CDT 2008
The problem is that, in order for SSH to function at all, it has to be a
listening port. This means that it will show up on port scans unless
you limit it at the network layer (hosts.allow/hosts.deny and the like).
Simply moving the port doesn't do anything to protect the service, as
all the same attacks will still succeed against it wherever it is, and
wherever you put it it can be easily found.
That's why it's best to layer the defenses. Protect the network layer
with DenyHosts or specifically allowing IPs. Protect the service by
limiting the ways in which it can be used (v2 + keys-only). Protect the
system by limiting the use of service (specifically allowed users).
It sounds like you're doing some of this in addition to moving the port,
which is good. My concern is the number of people out there that simply
run SSH on port 2222 (or the like) and think they're secure. It's
effective, but only if you count "effective" as avoiding the idiots.
The idiots likely wouldn't have gotten in anyway, so who cares. All
you're doing is reducing traffic (not a bad thing, really) and reducing
your log volume.
-Josh More, RHCE, CISSP, NCLP, GIAC
morej at alliancetechnologies.net
515-245-7701
>>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:44 PM >>>
I don't know about that, security through obscurity, maybe a bit, but
still
HIGHLY effective........
zero vs 100,000 ;)
QUOTE:
"We also note that all three honeypots used in this study ran a second
SSH
server on a high port, which was used for maintenance and control
purposes.
No malicious login attempts directed at the servers running on these
ports
were observed during the same period that over 100,000 attacks were
observed
on the default SSH port. Asking legitimate users to remember the
non-standard port can be a small inconvenience."
SOURCE: http://people.clarkson.edu/~owensjp/pubs/leet08.pdf
There are of course many ways to secure ssh more securely than the
default
settings. Disabling root login is always #1 on my list :) Changing the
port number is always #2. Setting allowed users and number of logins
and
allowed IP's help as well.
Dave Crouse
On Tue, May 13, 2008 at 12:22 PM, Josh More
<morej at alliancetechnologies.net>
wrote:
> True, but it doesn't improve security, it just reduces the number of
> random stumblers.
>
> I suggest disabling remote SSH login for root and locking down SSH to
> version 2 and key-based access only. I also run DenyHosts to limit
the
> traffic.
>
>
>
> -Josh More, RHCE, CISSP, NCLP, GIAC
> morej at alliancetechnologies.net
> 515-245-7701
>
> >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:16 PM >>>
> I never run ssh on the standard port 22 anymore..... changing the port
> number alone will significantly reduce the number of logged attacks.
>
> Dave Crouse
>
>
>
>
> On Tue, May 13, 2008 at 11:49 AM, Kendall Bailey <krbailey at gmail.com>
> wrote:
>
> > I run an SSH server on port 22 as my only public service. I run the
> > denyhosts daemon to protect against dictionary attacks and lock down
> > SSH pretty thoroughly in other regards, but still allow connection
> > from any host otherwise. The last few days I've seen hundreds of
> > hosts logged by denyhosts. Anyone know why random dictionary
attacks
> > might be spiking? Is it widespread? I'm considering closing that
> > port for a while.
> >
> > Thanks.
> > Kendall
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list