JP Vossen on 9 Jun 2012 00:35:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp


Date: Fri, 8 Jun 2012 10:13:21 -0400
From: Sam Gleske<sam.mxracer@gmail.com>

Why not just blacklist 50.115.0.0/16 and be done with it?  Is there ever an
occasion where you think you need to be on Virpus Networks to access your
computer?  If not then ban them into oblivion.

I did, but I did the 2 class C's.  If I hear from them again...


Also running on a non-standard port doesn't prevent you from receiving
attacks.  If you run telnet,
	telnet somehost.somenetwork.com 22
and set the port 22 to your non-standard port you'll still see the SSH
banner.  My ssh banner says SSH-2.0-OpenSSH_4.3.  It's not difficult to
hook and parse the banner for SSH servers.

Of course. The non-standard port is to cut down on log noise and make them work a bit harder. But it's also a bit more proof of malicious intent. One could argue that a mistaken user or script is trying to log in to the "wrong server" on the well-known port. But valid SSH attempts against my high port is something else again.

Also, FWIW sometimes people tell you to change or obscure your banner, but the general consensus last time I check that for SSH was, that is a Bad Idea. IIRC OpenSSH didn't even allow that (without a recompile) until very recently.

All the other advice on tools is good, too. Now all I need is some time... :-)

In particular, Fred's mention of 'logwatch' and 'tripwire' were interesting. The reason I know about these events is 'logcheck' which I prefer over 'logwatch'. And I prefer 'fcheck' over 'tripwiare' because TW is more of a pain to configure, while 'fcheck is pretty close to fire-n-forget. I've discussed those before in this list and in my PLUG preso: http://www.jpsdomain.org/public/2010_Cool_Ubuntu_Apps.pdf.


And Fred, you might find the 'ssh-copy-id' command interesting. :-)

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug