Re: One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





mouss wrote:
Les Bell wrote:
mouss <mouss@xxxxxxxxxxx> wrote:

  If you consider this security through obscurity, then why not publish
the list of your users on a public web page? after all, you should use
strong passwords, so why hide usernames?
<<

Usernames are comparatively hard to guess, and chosen from a large space - although email addresses often provide a huge clue. By contrast, there are
only 64K port numbers (and only 1K privileged ports, all of which will be
scanned by default with nmap) - and to make it worse, the attacker only has
to telnet or nc to a port and sshd will obligingly send back its version
number and protocol version info as plaintext. So, the added "obscurity" is
effectively zero.

zero? No. On all the boxes where I changed the port, I noticed 0 login attempt (in ssh logs). before that, the boxes were under continuous attacks (the last box that was installed was probed one second after it was connected! after the port change, nothing in ssh logs). call this zero if you want.

I do understand that changing the port does not bring real security. but it avoids silly malware probes. An attacker needs to find the port among say 30K possible ports. if he uses one host, he will trigger alarms before he gets a chance to see the banner. that gets us rid of such attempts, and more time to focus on real miscreants with more power.

No _one_ technique will bring security. Good security is layered. Everything you do to make it more difficult to break into your system is adding security.

The real question is: how much security do _you_ need to protect your system?


And it does nothing for the
stress level, since the serious adversary will see through your
non-standard port number in seconds.

The serious adversary will use his multi-million host bot-net and do 1 of 2 things: prevent you from using your system or break into it... so why bother?

sure, but he needs to use multiple hosts, as otherwise he will be detected. I've not yet seen a "distributed" dictionary attack (I mean: using N machines against a singe target). I guess there are enough windows targets that they leave at in piece for now ;-p

By the time you see it, it will have happened.


--
Milton Calnek BSc, A/Slt(Ret.)
milton@xxxxxxxxxx
306-717-8737


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux