[CentOS] Re: Ideas for stopping ssh brute force attacks

Scott Silva ssilva at sgvwater.com
Tue Jul 22 23:26:08 UTC 2008


on 7-22-2008 2:45 PM Les Bell spake the following:
> "David Dyer-Bennet" <dd-b at dd-b.net> wrote:
> 
> Yes, but if there are *any* ports exposed, seems like those are equally
> possible.
> <<
> 
> Sort of. Changing the port used by sshd stops the completely clueless
> script kiddies, since they don't even bother looking at anything other than
> port 22. Putting it way up high, among the ephemeral ports, will slow down
> the slightly more clueful who perform nmap scans, since nmap only scans
> around 1500 ports by default, and if sshd isn't running on one of those,
> they won't spot it.
> 
> However, it won't deter the intelligent or curious attacker; these guys
> will scan all ports (slowly, so you may not even notice them) and they will
> use banner enumeration to identify the services, rather than assuming.
> 
> Moving sshd to a non-standard port is one of the worst examples of relying
> on security by obscurity. Its only advantage is that it cuts out some noise
> in the logs, but proper precautions do that as well, without lulling you
> into a false sense of security. Rate limiting, combined with enforcement of
> really strong passwords, or even better, public/private key authentication,
> is real security.
> 
> A useful additional layer of defence, if you want it, is a daemon that will
> watch for port scans on the simple services ports and immediately insert a
> firewall rule to block that source - such as the old PortSentry, if you can
> find it, or some more modern equivalent. Of course, this won't do much to
> defend against some types of stealthy scans, such as idle time scans.
> 
Portsentry is still available on sourceforge I believe. But who knows if it 
will still work or even compile. It was written back in the 2.2 kernel days.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos/attachments/20080722/cbfdd559/signature.bin


More information about the CentOS mailing list