Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 07 Mar 2010 23:48:43 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Thousands of ssh probes
Message-ID:  <4B942D4B.6070407@locolomo.org>
In-Reply-To: <20100307204114.GK16274@mail2.dcoder.net>
References:  <20100305125446.GA14774@elwood.starfire.mn.org>	<4B91B36D.1020507@locolomo.org> <20100307204114.GK16274@mail2.dcoder.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 07/03/10 21:41, dacoder wrote:

> has anybody suggested having sshd listen on a high port?

Any number will do, think about it:

a. The attacker doesn't really care which host is compromised any will 
do, and better yet someones home box as it is more difficult to trace 
him. In that case he will scan large ip-ranges for hosts listening on 
port 22.

b. The attacker wants to gain control of a particular server. In that 
case he will scan all ports to see what services are running and 
determine which services are running on each port. In that case running 
ssh on a non-standard port is futile.

However, I'm not really a fan of using non-standard ports for ssh, I 
don't believe it's the right solution to the problem: You have ssh 
access to the outside because people travel and need remote access. In 
that case they might find themselves under other security policies which 
block access to services deemed unnecessary. Running ssh on a 
non-standard port is likely to be blocked on the client network - unless 
you run on, say, port 80.

The more uses you have, the more problems you will have running ssh on a 
non-standard port, the time you save checking your logs may easily be 
spent on end user support.

OP referred to significant impact on bandwidth which I find difficult to 
believe. In case connections come from a single ip at a time then you 
should tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the 
number of concurrent un-authenticate connections and slow down brute 
force attacks.

Much better, restrict the client access to certain ranges of IPs. The 
different registries publish ip ranges assigned per country and you can 
create a list blocking countries you are certain not to visit, you can 
use my script:

    http://www.locolomo.org/pub/src/toolbox/inet.pl

BR, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B942D4B.6070407>