[svlug] What to do about ssh hack attempts?
aarbitman at opencountry.com
Wed Feb 1 13:41:25 PST 2006
This is what I do. Any comments on this would be appreciated.
My router has two ports opened- 22 and 2200.
Port 22 gets redirected to the system on internal network, which is actually a virtual machine (I run vmware on debian box).
So any hack attemps go to virtual system which has only ssh server running on it, I do have easy guessable password on that,
since I do want that system to be compromissed. After 3 unsuccessful logins the source IP address is recorded and my firewall hosts.deny
file gets updated even before my firewall ssh server 2200 port gets scanned, I am using certificates at place, no passwords.
Let say hacker guessed my password on virtual system (wouldn't be difficult ), I let him play on that for a while and get more info about him
and report the guy to appropriate agency.
If you like the idea, feel free to use it.
W: 650-591-8080 ext 240
> Note that an emergency rebuild because you were reckless
> about security takes a _long_ time.
> > If you worry about somebody who is determined to get into just YOUR
> > box, no matter how long it takes, then of course moving the
> port will
> > not do too much good.
> Also, if you worry about J. Random Portscanner.
> > 1. they currently only try port 22
> So, when you get cracked because someone does something
> unusual, you can console yourself with "Funny, that _was_
> unusual as late as yesterday."
> > 2. it only takes 1 minute
> Disabling password auth. takes 10 seconds. ;->
> > Oh.. And if nothing else: it keeps your logs small and clean
> Funny thing about people who newly install
> logwatch/logcheck/etc.: They tend to obsess over the reports
> rather than over underlying problems.
> Maybe they should just remove the log-analysis programs. ;->
More information about the svlug