[Cialug] denyhosts logging LOTS of attacks

Dave Crouse crouse at usalug.net
Tue May 13 13:07:04 CDT 2008


Well, my port number isn't going to show up on a default port scan
either...... most scanners just test the lower numbers. Like I said, it's
security through obscurity, but the biggest benefit is you usually don't end
up with any brute force ssh attempts. (IE: you keep out the idiots)  Ever
since I've changed, I have had zero attempts. If like you said, you layer
the protection , you probably don't have nearly as much to worry about.  I
don't go to the extreme of blocking password logins and just use keys only,
but I do most of the other standard stuff.  Deny root login, change ports,
strong passwords, specify users, specify IP's (when they are static), limit
number of login attempts, etc.

Dave Crouse


On Tue, May 13, 2008 at 12:53 PM, Josh More <morej at alliancetechnologies.net>
wrote:

> The problem is that, in order for SSH to function at all, it has to be a
> listening port.  This means that it will show up on port scans unless
> you limit it at the network layer (hosts.allow/hosts.deny and the like).
>  Simply moving the port doesn't do anything to protect the service, as
> all the same attacks will still succeed against it wherever it is, and
> wherever you put it it can be easily found.
>
> That's why it's best to layer the defenses.  Protect the network layer
> with DenyHosts or specifically allowing IPs.  Protect the service by
> limiting the ways in which it can be used (v2 + keys-only).  Protect the
> system by limiting the use of service (specifically allowed users).
>
> It sounds like you're doing some of this in addition to moving the port,
> which is good.  My concern is the number of people out there that simply
> run SSH on port 2222 (or the like) and think they're secure.  It's
> effective, but only if you count "effective" as avoiding the idiots.
> The idiots likely wouldn't have gotten in anyway, so who cares.  All
> you're doing is reducing traffic (not a bad thing, really) and reducing
> your log volume.
>
>
>
> -Josh More, RHCE, CISSP, NCLP, GIAC
>  morej at alliancetechnologies.net
>  515-245-7701
>
> >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:44 PM >>>
> I don't know about that, security through obscurity, maybe a bit, but
> still
> HIGHLY effective........
>
> zero vs 100,000 ;)
>
> QUOTE:
> "We also note that all three honeypots used in this study ran a second
> SSH
> server on a high port, which was used for maintenance and control
> purposes.
> No malicious login attempts directed at the servers running on these
> ports
> were observed during the same period that over 100,000 attacks were
> observed
> on the default SSH port. Asking legitimate users to remember the
> non-standard port can be a small inconvenience."
> SOURCE: http://people.clarkson.edu/~owensjp/pubs/leet08.pdf<http://people.clarkson.edu/%7Eowensjp/pubs/leet08.pdf>
>
> There are of course many ways to secure ssh more securely than the
> default
> settings.  Disabling root login is always #1 on my list  :) Changing the
> port number is always #2.  Setting allowed users and number of logins
> and
> allowed IP's help as well.
>
> Dave Crouse
>
>
>
>
> On Tue, May 13, 2008 at 12:22 PM, Josh More
> <morej at alliancetechnologies.net>
> wrote:
>
> > True, but it doesn't improve security, it just reduces the number of
> > random stumblers.
> >
> > I suggest disabling remote SSH login for root and locking down SSH to
> > version 2 and key-based access only.  I also run DenyHosts to limit
> the
> > traffic.
> >
> >
> >
> > -Josh More, RHCE, CISSP, NCLP, GIAC
> >  morej at alliancetechnologies.net
> >  515-245-7701
> >
> > >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:16 PM >>>
> > I never run ssh on the standard port 22 anymore..... changing the port
> > number alone will significantly reduce the number of logged attacks.
> >
> > Dave Crouse
> >
> >
> >
> >
> > On Tue, May 13, 2008 at 11:49 AM, Kendall Bailey <krbailey at gmail.com>
> > wrote:
> >
> > > I run an SSH server on port 22 as my only public service.  I run the
> > > denyhosts daemon to protect against dictionary attacks and lock down
> > > SSH pretty thoroughly in other regards, but still allow connection
> > > from any host otherwise.  The last few days I've seen hundreds of
> > > hosts logged by denyhosts.  Anyone know why random dictionary
> attacks
> > > might be spiking?  Is it widespread?  I'm considering closing that
> > > port for a while.
> > >
> > > Thanks.
> > > Kendall
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20080513/23d2cec7/attachment.html


More information about the Cialug mailing list