[svlug] What to do about ssh hack attempts?
msalists at gmx.net
Wed Feb 1 10:20:46 PST 2006
It depends on 2 things: what you are worried about, and how much time you want to spend.
If you worry about somebody who is determined to get into just YOUR box, no matter how long it takes, then of course moving the port
will not do too much good. And also, it is most certainly not a replacement for proper firewall setup, secure passwords and maybe
authentication keys rather than passwords.
But if you are worried about those bot scripts hitting the jackpot - no matter how unlikely it is if you have a reasonable password,
then moving the port is obviously the best fix there is for 3 reasons:
1. they currently only try port 22
2. it only takes 1 minute
3. you don't need to waste system resources to evaluate all those logons, check passwords, etc
Oh.. And if nothing else: it keeps your logs small and clean
> -----Original Message-----
> From: svlug-bounces+msalists=gmx.net at lists.svlug.org
> [mailto:svlug-bounces+msalists=gmx.net at lists.svlug.org] On
> Behalf Of Rick Moen
> Sent: Wednesday, February 01, 2006 10:11 AM
> To: svlug at lists.svlug.org
> Subject: Re: [svlug] What to do about ssh hack attempts?
> Quoting Mark (msalists at gmx.net):
> > Moving the port is really a great solution - considering
> the time it
> > takes. One minute to do the change and I have never gotten
> one single
> > log entry since. I used to have log entries every day,
> sometimes up
> > to 50,000 attempts from 1 single IP.
> Wouldn't it be more useful to concentrate on the threat and
> the exposure, rather than logwatch log entries? If the root
> problem is exposure of guessable ssh login/password pairs to
> remote attackers, then your candidate solution should aim to
> fix that exposure. Moving the daemon to an unusual port
> simply doesn't do much.
> (Me, I just disable password auth. Other effective approaches are
> svlug mailing list
> svlug at lists.svlug.org http://lists.svlug.org/lists/listinfo/svlug
More information about the svlug