[CentOS] One approach to dealing with SSH brute force attacks.
mouss
mouss at netoyen.netFri Feb 1 23:15:13 UTC 2008
- Previous message: [CentOS] dmcrypt on install with centos 5.1?
- Next message: [CentOS] One approach to dealing with SSH brute force attacks.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Les Bell wrote: > mouss <mouss at netoyen.net> wrote: > > > If you consider this security through obscurity, then why not publish > the list of your users on a public web page? after all, you should use > strong passwords, so why hide usernames? > << > > Usernames are comparatively hard to guess, and chosen from a large space - > although email addresses often provide a huge clue. By contrast, there are > only 64K port numbers (and only 1K privileged ports, all of which will be > scanned by default with nmap) - and to make it worse, the attacker only has > to telnet or nc to a port and sshd will obligingly send back its version > number and protocol version info as plaintext. So, the added "obscurity" is > effectively zero. > zero? No. On all the boxes where I changed the port, I noticed 0 login attempt (in ssh logs). before that, the boxes were under continuous attacks (the last box that was installed was probed one second after it was connected! after the port change, nothing in ssh logs). call this zero if you want. I do understand that changing the port does not bring real security. but it avoids silly malware probes. An attacker needs to find the port among say 30K possible ports. if he uses one host, he will trigger alarms before he gets a chance to see the banner. that gets us rid of such attempts, and more time to focus on real miscreants with more power. > I sort of half-buy the log volume/noise argument, but rate-limiting and > good analysis tools deal with this as well. not so long ago, there was a bug in fail2ban. It used "lose" parsing to get the IP to block. but an attacker could put the IP in the login name, which would result in blocking arbitrary IPs. of course, the problem was in the parsing and the solution is to fix the parsing. but if you get less probes, you are less vulnerable to such attacks. > And it does nothing for the > stress level, since the serious adversary will see through your > non-standard port number in seconds. > sure, but he needs to use multiple hosts, as otherwise he will be detected. I've not yet seen a "distributed" dictionary attack (I mean: using N machines against a singe target). I guess there are enough windows targets that they leave at in piece for now ;-p
- Previous message: [CentOS] dmcrypt on install with centos 5.1?
- Next message: [CentOS] One approach to dealing with SSH brute force attacks.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list