[Cialug] denyhosts logging LOTS of attacks

Josh More morej at alliancetechnologies.net
Tue May 13 13:13:15 CDT 2008


Yes, it sounds like you're OK, mostly because you're doing the other
stuff.  

However, since other people are reading this, I have to point out that
"most scanners just test the lower numbers" is more reliance on false
security.  When I scan a system, I do slow scans (weeks-long)
originating from numerous IPs across all possible ports.  Most real
attackers work this way (unless they can buy your password with a
chocolate bar or something ;).  Then, if they get in, they modify the
logs so that you don't know, and so that tools like DenyHosts don't
block them.

Those are the guys to worry about.



-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> "Dave Crouse" <crouse at usalug.net> 05/13/08 1:07 PM >>>
Well, my port number isn't going to show up on a default port scan
either...... most scanners just test the lower numbers. Like I said,
it's
security through obscurity, but the biggest benefit is you usually don't
end
up with any brute force ssh attempts. (IE: you keep out the idiots) 
Ever
since I've changed, I have had zero attempts. If like you said, you
layer
the protection , you probably don't have nearly as much to worry about. 
I
don't go to the extreme of blocking password logins and just use keys
only,
but I do most of the other standard stuff.  Deny root login, change
ports,
strong passwords, specify users, specify IP's (when they are static),
limit
number of login attempts, etc.

Dave Crouse


On Tue, May 13, 2008 at 12:53 PM, Josh More
<morej at alliancetechnologies.net>
wrote:

> The problem is that, in order for SSH to function at all, it has to be
a
> listening port.  This means that it will show up on port scans unless
> you limit it at the network layer (hosts.allow/hosts.deny and the
like).
>  Simply moving the port doesn't do anything to protect the service, as
> all the same attacks will still succeed against it wherever it is, and
> wherever you put it it can be easily found.
>
> That's why it's best to layer the defenses.  Protect the network layer
> with DenyHosts or specifically allowing IPs.  Protect the service by
> limiting the ways in which it can be used (v2 + keys-only).  Protect
the
> system by limiting the use of service (specifically allowed users).
>
> It sounds like you're doing some of this in addition to moving the
port,
> which is good.  My concern is the number of people out there that
simply
> run SSH on port 2222 (or the like) and think they're secure.  It's
> effective, but only if you count "effective" as avoiding the idiots.
> The idiots likely wouldn't have gotten in anyway, so who cares.  All
> you're doing is reducing traffic (not a bad thing, really) and
reducing
> your log volume.
>
>
>
> -Josh More, RHCE, CISSP, NCLP, GIAC
>  morej at alliancetechnologies.net
>  515-245-7701
>
> >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:44 PM >>>
> I don't know about that, security through obscurity, maybe a bit, but
> still
> HIGHLY effective........
>
> zero vs 100,000 ;)
>
> QUOTE:
> "We also note that all three honeypots used in this study ran a second
> SSH
> server on a high port, which was used for maintenance and control
> purposes.
> No malicious login attempts directed at the servers running on these
> ports
> were observed during the same period that over 100,000 attacks were
> observed
> on the default SSH port. Asking legitimate users to remember the
> non-standard port can be a small inconvenience."
> SOURCE:
http://people.clarkson.edu/~owensjp/pubs/leet08.pdf<http://people.clarkson.edu/%7Eowensjp/pubs/leet08.pdf>
>
> There are of course many ways to secure ssh more securely than the
> default
> settings.  Disabling root login is always #1 on my list  :) Changing
the
> port number is always #2.  Setting allowed users and number of logins
> and
> allowed IP's help as well.
>
> Dave Crouse
>
>
>
>
> On Tue, May 13, 2008 at 12:22 PM, Josh More
> <morej at alliancetechnologies.net>
> wrote:
>
> > True, but it doesn't improve security, it just reduces the number of
> > random stumblers.
> >
> > I suggest disabling remote SSH login for root and locking down SSH
to
> > version 2 and key-based access only.  I also run DenyHosts to limit
> the
> > traffic.
> >
> >
> >
> > -Josh More, RHCE, CISSP, NCLP, GIAC
> >  morej at alliancetechnologies.net
> >  515-245-7701
> >
> > >>> "Dave Crouse" <crouse at usalug.net> 05/13/08 12:16 PM >>>
> > I never run ssh on the standard port 22 anymore..... changing the
port
> > number alone will significantly reduce the number of logged attacks.
> >
> > Dave Crouse
> >
> >
> >
> >
> > On Tue, May 13, 2008 at 11:49 AM, Kendall Bailey
<krbailey at gmail.com>
> > wrote:
> >
> > > I run an SSH server on port 22 as my only public service.  I run
the
> > > denyhosts daemon to protect against dictionary attacks and lock
down
> > > SSH pretty thoroughly in other regards, but still allow connection
> > > from any host otherwise.  The last few days I've seen hundreds of
> > > hosts logged by denyhosts.  Anyone know why random dictionary
> attacks
> > > might be spiking?  Is it widespread?  I'm considering closing that
> > > port for a while.
> > >
> > > Thanks.
> > > Kendall
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



More information about the Cialug mailing list