Re: [PLUG] SSH brute force attacks using PlcmSpIp

brent timothy saner on 8 Jun 2012 09:16:38 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Date: Fri, 08 Jun 2012 12:16:11 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=+PXSd8aFR06YUnZIm5HSBIq4qlQcmKYJyEWYZbnKs50=; b=xjnUv2gHyIlSqvPnSnIXselmG934Xcp8kL86NaO1MOlzZnCm2H022DvKYXjupm6Rgw 3oa3grAQ950O8Pih+D52t0NUmhNUGbsqImA0Rsu9Kbh6qFqMetHuI05tD7XUjj3ghcRo 2vQnHXby43mg8IDG4a3SjG3yIC7imTgm8pke5TetS2eeTnoebPgJMzWZxxdF1foeKa2R 1/Rv9KhrJmXOD5MikzmMjZ2HIuvvVtC7QTlR0pSOBn/rBl/rJ+hqnHOUHbmqSY5MCWNg e2zOpdaPFRoiSHrvTHhp85+QBCgVU8X/dAJF80GK5k+CJhE8OFJw8R6CrH1ccuJJWbM4 T5Tg==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120606 Thunderbird/13.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/08/12 10:16, Sam Gleske wrote:
> Also running on a non-standard port doesn't prevent you from
> receiving attacks.  If you run telnet, telnet
> somehost.somenetwork.com <http://somehost.somenetwork.com> 22
> 
> and set the port 22 to your non-standard port you'll still see the
> SSH banner.  My ssh banner says SSH-2.0-OpenSSH_4.3.  It's not
> difficult to hook and parse the banner for SSH servers.

i'd have to +1 fail2ban.

obfuscation, while it may slow things down for the attacker (since
they'd have to do a port sweep, but honestly- nmap -p- -T [sneaky or
paranoid] <target> will still find the open TCP ports. it's then a
matter of passing those ports to an nmap -p[port numbers open] -A
[host] to find what port(s) SSH is actually listening on) should never
be the only method of security.

here's what i'd do, for those worried about this.

1. implement fail2ban (i like it because it's easily configurable for
a multitude of other services) or some other bruteforce-detection
daemon (like apf+bfd).

2. run ssh on a different port (ideally, within the ethereal port
range- >1024)

3. implement port-knocking on that port.

(then you'll want to do other things like in sshd_config,
PermitRootLogin without-password
#or if you have sudo set up, set to no
turn off password authentication and make everything pubkey-only, and
only allow specific users or users in a specific group to have ssh
access- man 5 sshd_config for more info on that)

between all those, that's a pretty nice, solid sshd confguration.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/SJUoACgkQ8u2Zh4MtlQrT4ACeKEbqmE0Syn/6wHrEjCU31R6Z
pXUAmQE71vueH+me8/CcHptbM4oiX0yK
=nz2u
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- [PLUG] SSH brute force attacks using PlcmSpIp
  - From: JP Vossen <jp@jpsdomain.org>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Douglas Muth <doug.muth@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Nicholas Gasparovich <nick@gasponet.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Sam Gleske <sam.mxracer@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Sam Gleske <sam.mxracer@gmail.com>

Prev by Date: Re: [PLUG] I need a book recommendation
Next by Date: Re: [PLUG] I need a book recommendation
Previous by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Next by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Index(es):
- Date
- Thread