[CentOS] Re: Ideas for stopping ssh brute force attacks

Scott Silva ssilva at sgvwater.com
Tue Jul 22 23:26:08 UTC 2008

on 7-22-2008 2:45 PM Les Bell spake the following:
> "David Dyer-Bennet" <dd-b at dd-b.net> wrote:
> Yes, but if there are *any* ports exposed, seems like those are equally
> possible.
> <<
> Sort of. Changing the port used by sshd stops the completely clueless
> script kiddies, since they don't even bother looking at anything other than
> port 22. Putting it way up high, among the ephemeral ports, will slow down
> the slightly more clueful who perform nmap scans, since nmap only scans
> around 1500 ports by default, and if sshd isn't running on one of those,
> they won't spot it.
> However, it won't deter the intelligent or curious attacker; these guys
> will scan all ports (slowly, so you may not even notice them) and they will
> use banner enumeration to identify the services, rather than assuming.
> Moving sshd to a non-standard port is one of the worst examples of relying
> on security by obscurity. Its only advantage is that it cuts out some noise
> in the logs, but proper precautions do that as well, without lulling you
> into a false sense of security. Rate limiting, combined with enforcement of
> really strong passwords, or even better, public/private key authentication,
> is real security.
> A useful additional layer of defence, if you want it, is a daemon that will
> watch for port scans on the simple services ports and immediately insert a
> firewall rule to block that source - such as the old PortSentry, if you can
> find it, or some more modern equivalent. Of course, this won't do much to
> defend against some types of stealthy scans, such as idle time scans.
Portsentry is still available on sourceforge I believe. But who knows if it 
will still work or even compile. It was written back in the 2.2 kernel days.

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos/attachments/20080722/cbfdd559/signature.bin

More information about the CentOS mailing list