Re: [PLUG] SSH brute force attacks using PlcmSpIp

JP Vossen on 9 Jun 2012 00:35:43 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp

From: JP Vossen <jp@jpsdomain.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Date: Sat, 09 Jun 2012 03:35:38 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

Date: Fri, 8 Jun 2012 10:13:21 -0400
From: Sam Gleske<sam.mxracer@gmail.com>

Why not just blacklist 50.115.0.0/16 and be done with it?  Is there ever an
occasion where you think you need to be on Virpus Networks to access your
computer?  If not then ban them into oblivion.


I did, but I did the 2 class C's.  If I hear from them again...

Also running on a non-standard port doesn't prevent you from receiving
attacks.  If you run telnet,
	telnet somehost.somenetwork.com 22
and set the port 22 to your non-standard port you'll still see the SSH
banner.  My ssh banner says SSH-2.0-OpenSSH_4.3.  It's not difficult to
hook and parse the banner for SSH servers.

Of course. The non-standard port is to cut down on log noise and makethem work a bit harder. But it's also a bit more proof of maliciousintent. One could argue that a mistaken user or script is trying to login to the "wrong server" on the well-known port. But valid SSH attemptsagainst my high port is something else again.

Also, FWIW sometimes people tell you to change or obscure your banner,but the general consensus last time I check that for SSH was, that is aBad Idea. IIRC OpenSSH didn't even allow that (without a recompile)until very recently.

All the other advice on tools is good, too. Now all I need is sometime... :-)

In particular, Fred's mention of 'logwatch' and 'tripwire' wereinteresting. The reason I know about these events is 'logcheck' which Iprefer over 'logwatch'. And I prefer 'fcheck' over 'tripwiare' becauseTW is more of a pain to configure, while 'fcheck is pretty close tofire-n-forget. I've discussed those before in this list and in my PLUGpreso: http://www.jpsdomain.org/public/2010_Cool_Ubuntu_Apps.pdf.



And Fred, you might find the 'ssh-copy-id' command interesting. :-)

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Fred Stluka <fred@bristle.com>

Prev by Date: Re: [PLUG] Schedules Direct "lineup warning"
Next by Date: Re: [PLUG] I need a book recommendation
Previous by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Next by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Index(es):
- Date
- Thread