From owner-freebsd-security@FreeBSD.ORG Mon Oct 5 20:56:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 015971065694 for ; Mon, 5 Oct 2009 20:56:28 +0000 (UTC) (envelope-from a.kuriger@liquidphlux.com) Received: from mail.liquidphlux.com (mail.liquidphlux.com [209.98.210.169]) by mx1.freebsd.org (Postfix) with ESMTP id C05058FC17 for ; Mon, 5 Oct 2009 20:56:27 +0000 (UTC) Received: by mail.liquidphlux.com (Postfix, from userid 80) id 4D9054EBFC5; Mon, 5 Oct 2009 15:55:33 -0500 (CDT) To: MIME-Version: 1.0 Date: Mon, 05 Oct 2009 15:55:33 -0500 From: Andrew Kuriger In-Reply-To: <1254772966.30618.1405.camel@vcampaign> References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> <1254772966.30618.1405.camel@vcampaign> Message-ID: X-Sender: a.kuriger@liquidphlux.com User-Agent: RoundCube Webmail/0.3-stable Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 20:56:28 -0000 On Mon, 05 Oct 2009 13:02:46 -0700, Micheas Herman wrote: > On Mon, 2009-10-05 at 12:46 -0600, Lyndon Nerenberg - VE6BBM/VE7TFX > wrote: >> > Granted, if somebody is not specifically targeting you and is just >> > scanning >> > ranges to find sshd on 22 they will pass you right up since that port >> > will >> > be closed. >> >> The port change was intended only to avoid the port scanners. > > > And when you get notices in your logs, you can respond, as you > know you are being targeted and can take appropriate responses. > > The biggest reason I can see for running ssh on an non-standard > port is increasing the signal to noise ratio in the logs. > > If you can investigate every failed ssh login, you should be > safer than if you ignore 40,000 failed logins a day. > > Just my experience, but of course being able to effortlessly > investigate 40,000 failed logins would probably be a better > situation. > I agree its not a bad thing to have sshd running on a non-standard port, but just wait until the bot herder with 10,000 bots under his control finds out what port your running it under... If your receiving 40,000 false logins a day, your either targeted, or extremely popular and probably shouldn't be running sshd that is accessible via the internet anyways, aside from port knocking/VPN. I don't know about you, but when I have been attacked its not 100 connections from the same IP, its thousands randomly throughout the world. It does however eliminate the background script kiddie noise and sshd scanners, but once your found out/targeted its all in the air anyways. -Andrew -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments