[CentOS] One approach to dealing with SSH brute force attacks.
Milton Calnek
milton at calnek.com
Mon Feb 4 14:58:26 UTC 2008
mouss wrote:
> Les Bell wrote:
>> mouss <mouss at netoyen.net> wrote:
>>
>> If you consider this security through obscurity, then why not publish
>> the list of your users on a public web page? after all, you should use
>> strong passwords, so why hide usernames?
>> <<
>>
>> Usernames are comparatively hard to guess, and chosen from a large
>> space -
>> although email addresses often provide a huge clue. By contrast, there
>> are
>> only 64K port numbers (and only 1K privileged ports, all of which will be
>> scanned by default with nmap) - and to make it worse, the attacker
>> only has
>> to telnet or nc to a port and sshd will obligingly send back its version
>> number and protocol version info as plaintext. So, the added
>> "obscurity" is
>> effectively zero.
>>
>
> zero? No. On all the boxes where I changed the port, I noticed 0 login
> attempt (in ssh logs). before that, the boxes were under continuous
> attacks (the last box that was installed was probed one second after it
> was connected! after the port change, nothing in ssh logs). call this
> zero if you want.
>
> I do understand that changing the port does not bring real security. but
> it avoids silly malware probes. An attacker needs to find the port among
> say 30K possible ports. if he uses one host, he will trigger alarms
> before he gets a chance to see the banner. that gets us rid of such
> attempts, and more time to focus on real miscreants with more power.
No _one_ technique will bring security. Good security is layered.
Everything you do to make it more difficult to break into your system is
adding security.
The real question is: how much security do _you_ need to protect your
system?
>
>> And it does nothing for the
>> stress level, since the serious adversary will see through your
>> non-standard port number in seconds.
The serious adversary will use his multi-million host bot-net and do 1
of 2 things: prevent you from using your system or break into it... so
why bother?
> sure, but he needs to use multiple hosts, as otherwise he will be
> detected. I've not yet seen a "distributed" dictionary attack (I mean:
> using N machines against a singe target). I guess there are enough
> windows targets that they leave at in piece for now ;-p
By the time you see it, it will have happened.
--
Milton Calnek BSc, A/Slt(Ret.)
milton at calnek.com
306-717-8737
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list