brent timothy saner on 8 Jun 2012 09:16:38 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp

Hash: SHA1

On 06/08/12 10:16, Sam Gleske wrote:
> Also running on a non-standard port doesn't prevent you from
> receiving attacks.  If you run telnet, telnet
> <> 22
> and set the port 22 to your non-standard port you'll still see the
> SSH banner.  My ssh banner says SSH-2.0-OpenSSH_4.3.  It's not
> difficult to hook and parse the banner for SSH servers.

i'd have to +1 fail2ban.

obfuscation, while it may slow things down for the attacker (since
they'd have to do a port sweep, but honestly- nmap -p- -T [sneaky or
paranoid] <target> will still find the open TCP ports. it's then a
matter of passing those ports to an nmap -p[port numbers open] -A
[host] to find what port(s) SSH is actually listening on) should never
be the only method of security.

here's what i'd do, for those worried about this.

1. implement fail2ban (i like it because it's easily configurable for
a multitude of other services) or some other bruteforce-detection
daemon (like apf+bfd).

2. run ssh on a different port (ideally, within the ethereal port
range- >1024)

3. implement port-knocking on that port.

(then you'll want to do other things like in sshd_config,
PermitRootLogin without-password
#or if you have sudo set up, set to no
turn off password authentication and make everything pubkey-only, and
only allow specific users or users in a specific group to have ssh
access- man 5 sshd_config for more info on that)

between all those, that's a pretty nice, solid sshd confguration.

Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --