From owner-freebsd-questions@freebsd.org  Wed Mar  7 17:12:36 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3357BF412A2
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  7 Mar 2018 17:12:36 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70])
 by mx1.freebsd.org (Postfix) with ESMTP id D6ACB81B1C
 for <freebsd-questions@freebsd.org>; Wed,  7 Mar 2018 17:12:35 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6])
 by kicp.uchicago.edu (Postfix) with ESMTP id 5DDAA71805E;
 Wed,  7 Mar 2018 11:12:35 -0600 (CST)
Subject: Re: Increased abuse activity on my server
To: Duane Whitty <duane@nofroth.com>, freebsd-questions@freebsd.org
References: <20180307071944.GA30971@ymer.bara1.se>
 <20180307103136.25881537.ole@free.de>
 <CAFsnNZ+x_2YUuNrVDjt4MXMB40W3qHeyYsNgZSWT=3a4cRTKOA@mail.gmail.com>
 <b1080618-5489-4321-9d1e-631f0507b80d@kicp.uchicago.edu>
 <d27c1592-90a4-150f-2645-c56498b6570c@nofroth.com>
From: Valeri Galtsev <galtsev@kicp.uchicago.edu>
Message-ID: <2a1e844e-e2ba-5b43-9dd7-cd69915e12b4@kicp.uchicago.edu>
Date: Wed, 7 Mar 2018 11:12:34 -0600
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <d27c1592-90a4-150f-2645-c56498b6570c@nofroth.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 17:12:36 -0000



On 03/07/18 10:43, Duane Whitty wrote:
> On 18-03-07 12:17 PM, Valeri Galtsev wrote:
>>
>>
>> On 03/07/18 08:20, William Dudley wrote:
>>> This may sound stupid and obvious, but I moved my ssh port to a high
>>> "random" port
>>> number, and that completely stopped the random attempts to ssh in.  I know
>>> that
>>> "security by obscurity" "doesn't work", but it did!
>>
>> No it doesn't. One mostly fools oneself by seeing less symptoms, whereas
>> illness is still as bad as it was (if it was there that is). Sorry, it
>> looks like I'm in contradictive mood, still bear with me.
>>
> 
> Are the symptoms not diagnostic of the illness in this case or are you
> saying that there may be ssh login attempts that aren't being logged
> after being moved to a randomly selected port over 1024?  That would
> seem unusual.
> 
> Regarding ports over 1024 I agree it's true non-root users can open them
> but not sure what that is going to get an attacker.  How does sshd
> listening on port 15391 etc make it more vulnerable than listening on
> port 22?  Can you provide an example of an exploit?

I normally don't like to answer things when my original point that is 
being discussed is edited away. I still will just reiterate here that if 
you don't see any bad in using port above 1024, then it will take me 
writing a book and having you read that which is impractical. We'll see 
if someone chimes in. And by no means I intended to state some bad 
practice on its own creates "and exploit". Still sysadmins stick to good 
practices, you should be able to tell yourself why.

> 
> Also, I don't recall the OP mentioning anything about having many users
> ssh'ing in.  Perhaps the OP is the only user that logs in for
> administrative purposes.
> 
> Also, perhaps he already doesn't allow root logins from the Internet, he
> hasn't said and we haven't asked.
> 
> Does moving sshd to a high port number make you all that more secure?
> No not really but it does avoid a lot of log activity and makes seeing
> real attacks easier.  Combine that with sensible host and firewall
> policies and a large majority of attackers just aren't going to bother
> because it will be so much easier for them to attack someone else and
> have a higher probability of attack.
> 
> You do make some good points though that administrators should consider
> when implementing systems security.
> 

Thank you. I am just repeating what I learned, and a lot of it comes 
from clever people one lists like this one. They are to be credited, not 
I ;-)

Valeri

> 
> Best Regards,
> Duane
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++