[CentOS] One approach to dealing with SSH brute force attacks.

Wed Jan 30 23:18:21 UTC 2008
Les Bell <lesbell at lesbell.com.au>

mouss <mouss at netoyen.net> wrote:

>>
If you consider this security through obscurity, then why not publish
the list of your users on a public web page? after all, you should use
strong passwords, so why hide usernames?
<<

Usernames are comparatively hard to guess, and chosen from a large space -
although email addresses often provide a huge clue. By contrast, there are
only 64K port numbers (and only 1K privileged ports, all of which will be
scanned by default with nmap) - and to make it worse, the attacker only has
to telnet or nc to a port and sshd will obligingly send back its version
number and protocol version info as plaintext. So, the added "obscurity" is
effectively zero.

I sort of half-buy the log volume/noise argument, but rate-limiting and
good analysis tools deal with this as well. And it does nothing for the
stress level, since the serious adversary will see through your
non-standard port number in seconds.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909