Date: Mon, 5 Oct 2009 23:28:37 +0200 From: Erik Cederstrand <erik@cederstrand.dk> To: Andrew Kuriger <a.kuriger@liquidphlux.com> Cc: freebsd-security@freebsd.org, m@micheas.net Subject: Re: openssh concerns Message-ID: <EDEB3D47-2E83-40D3-838B-F066C0183EA2@cederstrand.dk> In-Reply-To: <d475c13f001363965f8663b073afbfcb@mail.liquidphlux.com> References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca> <1254772966.30618.1405.camel@vcampaign> <d475c13f001363965f8663b073afbfcb@mail.liquidphlux.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-1174--554472706 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger: > I agree its not a bad thing to have sshd running on a non-standard > port, > but just wait until the bot herder with 10,000 bots under his > control finds > out what port your running it under... It's like spam filtering: at the time this actually becomes a problem, we change tactics. It's not about finding the perfect solution, it's about having a manageable log. My log is being spammed, and changing the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to log into your nonexistent oracle account" is not a very interesting log message. Someone bruteforcing a valid non-trivial account name on a non-standard port is, even though they will never succeed. > If your receiving 40,000 false logins a day, your either targeted, or > extremely popular and probably shouldn't be running sshd that is > accessible > via the internet anyways, aside from port knocking/VPN. 6 normal, very boring colo-servers here. 40.000 login attempts a day per server on port 22 sounds about right - that's still almost nothing translated to bandwidth. I use only key-based auth and the bots were still trying, som I'm pretty sure it's just someone trying to bruteforce every IP under the sun looking for low-hanging fruit. I still need ssh access for normal admin work so disabling ssh is not an option. Erik --Apple-Mail-1174--554472706--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EDEB3D47-2E83-40D3-838B-F066C0183EA2>