JP Vossen on 10 Dec 2008 12:58:21 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders 

> Date: Wed, 10 Dec 2008 13:29:59 -0500
> From: bergman@merctech.com
> 
> In the message dated: Wed, 10 Dec 2008 13:18:41 EST,
> The pithy ruminations from "Douglas Muth" on 
> <Re: [PLUG] Brute force SSH attack confounds defenders> were:
> => On Wed, Dec 10, 2008 at 12:00 AM, John Von Essen <john@essenz.com> wrote:
> => >
> => > But... if we all leave SSH open with strong passwords, the brute force
> => > bots will have a ton of hosts to waste their time on, and eventually brute
> => > force ssh will become boring and a waste of cpu time.
> => 
> => Why not do the following:
> => 1) Move "real" SSH service to another port
> 
> Philosophically, I hate that answer. It's really just security by obscurity. 
> Without adding in things like port knocking[1], it still means you're 
> vulnerable to port scanning. For the purpose of building a honeypot[2] I can 
> sort of understand it. In a production environment, with any significant user 
> base, it doesn't scale.

"Security by obscurity" is only bad when you rely on it and only it.  As 
an additional layer in a defense-in-depth [1] it's perfectly acceptable. 
  I move SSH on my servers simply to avoid all the logging generated by 
ankle-biters.  Sure a for-real port-scan will turn it up, but I make the 
port high enough that only a full 65K scan (or a smart selective scan) 
will turn it up.  The goal isn't to be "secure" which is impossible 
anyway.  The goal is to "outrun the people you're with" to avoid the 
bear (ankle-biters).  A smart or determined attacker specifically going 
after you will find it, the 99.99% of stupid brute-force bot-net scans 
won't.  That's a win for me.

OTOH, unless you choose some other well-known port (and thus defeat at 
least part of the purpose), you may get block by strong egress firewall 
rules.  It still surprises me how few people have implemented strong 
egress filters, because they are so useful in all of this Internet 
security mess.  But they are a pain to set up and maintain, so I get it. 
  And you have a user training issue too.


[1] good passwords, certs. port-knocking, TCP-wrapper, etc.

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug