Re: One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Les Bell wrote:

mouss <mouss@xxxxxxxxxxx> wrote:
If you consider this security through obscurity, then why not publish 
the list of your users on a public web page? after all, you should use
strong passwords, so why hide usernames?
<<

Usernames are comparatively hard to guess, and chosen from a large space -
although email addresses often provide a huge clue. By contrast, there are
only 64K port numbers (and only 1K privileged ports, all of which will be
scanned by default with nmap) - and to make it worse, the attacker only has
to telnet or nc to a port and sshd will obligingly send back its version
number and protocol version info as plaintext. So, the added "obscurity" is
effectively zero.
zero? No. On all the boxes where I changed the port, I noticed 0 login attempt (in ssh logs). before that, the boxes were under continuous attacks (the last box that was installed was probed one second after it was connected! after the port change, nothing in ssh logs). call this zero if you want.
I do understand that changing the port does not bring real security. but it avoids silly malware probes. An attacker needs to find the port among say 30K possible ports. if he uses one host, he will trigger alarms before he gets a chance to see the banner. that gets us rid of such attempts, and more time to focus on real miscreants with more power. 


I sort of half-buy the log volume/noise argument, but rate-limiting and
good analysis tools deal with this as well.
not so long ago, there was a bug in fail2ban. It used "lose" parsing to get the IP to block. but an attacker could put the IP in the login name, which would result in blocking arbitrary IPs. of course, the problem was in the parsing and the solution is to fix the parsing. but if you get less probes, you are less vulnerable to such attacks. 


And it does nothing for the
stress level, since the serious adversary will see through your
non-standard port number in seconds.
sure, but he needs to use multiple hosts, as otherwise he will be detected. I've not yet seen a "distributed" dictionary attack (I mean: using N machines against a singe target). I guess there are enough windows targets that they leave at in piece for now ;-p 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux