[svlug] What to do about ssh hack attempts?

[Alex Arbitman]

 Hi, guys!
This is what I do. Any comments on this would be appreciated.
My router has two ports opened-  22 and 2200.
Port 22 gets redirected to the system on internal network, which is actually a virtual machine (I run vmware on debian box).
So any hack attemps go to virtual system which has only ssh server running on it, I do have easy guessable password on that, 
since I do want that system to be compromissed. After 3 unsuccessful logins the source IP address is recorded and my firewall hosts.deny
file gets updated  even before my firewall ssh server  2200 port gets scanned, I am using certificates at place, no passwords.
Let say hacker guessed my password on virtual system (wouldn't be difficult ), I let him play on that for a while and get more info about him
and report the guy to appropriate agency.
If you like the idea, feel free to use it.

-- 
Alex Arbitman
Systems Admin
Open Country
W: 650-591-8080 ext 240
C: 415-269-9216

> Note that an emergency rebuild because you were reckless 
> about security takes a _long_ time.
> 
> > If you worry about somebody who is determined to get into just YOUR 
> > box, no matter how long it takes, then of course moving the 
> port will 
> > not do too much good.
> 
> Also, if you worry about J. Random Portscanner.
> 
> > 1. they currently only try port 22
> 
> So, when you get cracked because someone does something 
> unusual, you can console yourself with "Funny, that _was_ 
> unusual as late as yesterday."
> 
> > 2. it only takes 1 minute
> 
> Disabling password auth. takes 10 seconds.  ;->
> > Oh.. And if nothing else: it keeps your logs small and clean
> 
> Funny thing about people who newly install 
> logwatch/logcheck/etc.:  They tend to obsess over the reports 
> rather than over underlying problems.  
> Maybe they should just remove the log-analysis programs.  ;->