From owner-freebsd-questions@freebsd.org Wed Mar 7 16:43:53 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3AD2F3DECC for ; Wed, 7 Mar 2018 16:43:52 +0000 (UTC) (envelope-from duane@nofroth.com) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 671617F287 for ; Wed, 7 Mar 2018 16:43:52 +0000 (UTC) (envelope-from duane@nofroth.com) Received: by mail-qt0-x230.google.com with SMTP id z14so3390684qti.2 for ; Wed, 07 Mar 2018 08:43:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nofroth.com; s=google; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WCl54Z6cJxwW+bxoHnLfcQMRamh8AnLW3XMKb6Zvifw=; b=JjSt1VT0DRapppC6EngrNEAHSFPhLc7SY5+FtDH3SRkxob/qNfPH2eY2iGfdqme6yX fxY5EzSKAVOYNxiopwsbasUcyM/jkOG7oomQae+ppDLAXKViROQFdcChEWDHwGqJriAu ZiOYMTKtIwd1IKvH9qtR8lNfQwI794tY4gs2Sjc7uJPlFOSdQWLJE96XTjwlIADnCr6M xHPdOs8xzaMhU5A7tboPKvxoq9GTkYtAzekWsvc6NBM7S2FC22XxUKr7BtBsf9F8OIWk 7S1CVieoJpVDNg2X+Bqdv7ATJHf6Y1THwSRLj36n72jZ/lAeRtDxvalugjKDdYl1ghxY 22VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WCl54Z6cJxwW+bxoHnLfcQMRamh8AnLW3XMKb6Zvifw=; b=uhGFyto30pYIR1anViXL3w/2OI5+OlW3R690t4Zo4fdYakQCoyByyOBTb9Wc0aHajm pNsPsKjpSCRIkbhg/K8RpKFgS1dTUTDHg2feci+1FLuIzKMzFsU8pV5ZE0k3p/Q65zqW D3jhC2kXbCIzdhMquT2jsjh4OHyDdD9cwLGDuqaGN4XTihMt97bUoeQjviPyNF3WToXL Bwqirauvr/yYPsiTmZOwJ5Bpx/LOwbfBVgUn29AcTtUg155ftVc9vsS9WniQMCSgbOPe F/TcS+r88TGlhjEdTguqkMCgEpQor5plOETpT4Mx40A/UiYi6vZK8vgONL6InYhzsDEh 289Q== X-Gm-Message-State: AElRT7H6cRwcuzN7crwbFuibbwbe6yWwWhuOyhIdfc8dmpjYjc3NdQpn VPW8Z22jJkuYcVUQwoEUdJqFjyjs3Ew= X-Google-Smtp-Source: AG47ELuYwxic8+xHl4sg9ykHtUpbNnnBUOqM1ODJnmTtLIBBqxfRRWNNG2pqfnIMK+8aumhIUlRYFw== X-Received: by 10.237.33.170 with SMTP id l39mr36520153qtc.100.1520441031869; Wed, 07 Mar 2018 08:43:51 -0800 (PST) Received: from [10.8.8.30] ([162.253.131.178]) by smtp.gmail.com with ESMTPSA id j7sm11342217qtn.58.2018.03.07.08.43.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Mar 2018 08:43:51 -0800 (PST) Cc: duane@nofroth.com Subject: Re: Increased abuse activity on my server To: freebsd-questions@freebsd.org References: <20180307071944.GA30971@ymer.bara1.se> <20180307103136.25881537.ole@free.de> From: Duane Whitty Message-ID: Date: Wed, 7 Mar 2018 12:43:49 -0400 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 16:43:53 -0000 On 18-03-07 12:17 PM, Valeri Galtsev wrote: > > > On 03/07/18 08:20, William Dudley wrote: >> This may sound stupid and obvious, but I moved my ssh port to a high >> "random" port >> number, and that completely stopped the random attempts to ssh in. I know >> that >> "security by obscurity" "doesn't work", but it did! > > No it doesn't. One mostly fools oneself by seeing less symptoms, whereas > illness is still as bad as it was (if it was there that is). Sorry, it > looks like I'm in contradictive mood, still bear with me. > Are the symptoms not diagnostic of the illness in this case or are you saying that there may be ssh login attempts that aren't being logged after being moved to a randomly selected port over 1024? That would seem unusual. Regarding ports over 1024 I agree it's true non-root users can open them but not sure what that is going to get an attacker. How does sshd listening on port 15391 etc make it more vulnerable than listening on port 22? Can you provide an example of an exploit? Also, I don't recall the OP mentioning anything about having many users ssh'ing in. Perhaps the OP is the only user that logs in for administrative purposes. Also, perhaps he already doesn't allow root logins from the Internet, he hasn't said and we haven't asked. Does moving sshd to a high port number make you all that more secure? No not really but it does avoid a lot of log activity and makes seeing real attacks easier. Combine that with sensible host and firewall policies and a large majority of attackers just aren't going to bother because it will be so much easier for them to attack someone else and have a higher probability of attack. You do make some good points though that administrators should consider when implementing systems security. Best Regards, Duane -- Duane Whitty duane@nofroth.com