"In honor of this phenomenon, I now keep a text file of the ports I find an SSH daemon running on, and the explanation offered by the administrator of how this change improves security. I won't list the explanations here, but here's the gist of their justifications: attackers will not bother launching a scan against the entire port range of a box, and a scanning tool is not advanced enough to grab service banners. Admins generally provide me with these explanations during a post assessment wrap-up meeting, and they are typically surprised that their SSH daemon running on port 65022 is listed in the report at all. It's almost like pointing out a trap door or a mirror in a magic act." Hiding In Plain Sight Doesn't Work: < http://www.darkreading.com/blog/archives/2008/12/hiding_in_plain.html?cid=RSSfeed_DR_ALL?cid=nl_DR_WEEKLY_T > After reading the above article, well ...ahem, I decided to bring back the SSH daemon to its original default port on some accounts and implemented a banner advising the would be perpetrators that their IP would be logged. Notwithstanding, there where those who did not care (some, like the example below, understandably since their IP is dynamic). Notwithstanding, those who dared try their luck were locked out by fail2ban on their fifth try. After observing their reverse mapping attempts (as below) I reduced SSH login attempts to three. I am also looking for insight/recommendations on an utility to stop scraping/resource probing like abuses, where an given perpetrator will start at the root of the web resources and continue for several minutes traversing the whole site(s). Dec 8 04:51:23 my-client-host sshd[8282]: Invalid user test from 85.94.59.251 Dec 8 04:51:23 my-client-host sshd[8282]: reverse mapping checking getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE BREAK-IN ATTEMPT! Dec 8 04:51:32 my-client-host sshd[8284]: Invalid user guest from 85.94.59.251 Dec 8 04:51:32 my-client-host sshd[8284]: reverse mapping checking getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE BREAK-IN ATTEMPT! Dec 8 04:51:36 my-client-host sshd[8286]: Invalid user admin from 85.94.59.251 Dec 8 04:51:36 my-client-host sshd[8286]: reverse mapping checking getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE BREAK-IN ATTEMPT! Dec 8 04:51:41 my-client-host sshd[8288]: Invalid user admin from 85.94.59.251 Dec 8 04:51:41 my-client-host sshd[8288]: reverse mapping checking getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE BREAK-IN ATTEMPT! Dec 8 04:51:51 my-client-host sshd[8290]: Invalid user user from 85.94.59.251 Dec 8 04:51:51 my-client-host sshd[8290]: reverse mapping checking getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE BREAK-IN ATTEMPT! -- Jose R R http://www.metztli-it.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
