From owner-freebsd-security@FreeBSD.ORG  Mon Oct  5 21:47:42 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 55EB3106566B
	for <freebsd-security@freebsd.org>;
	Mon,  5 Oct 2009 21:47:42 +0000 (UTC)
	(envelope-from erik@cederstrand.dk)
Received: from csmtp3.one.com (csmtp3.one.com [195.47.247.213])
	by mx1.freebsd.org (Postfix) with ESMTP id E0D058FC0A
	for <freebsd-security@freebsd.org>;
	Mon,  5 Oct 2009 21:47:41 +0000 (UTC)
Received: from [192.168.10.164]
	(0x573b9942.cpe.ge-1-2-0-1101.ronqu1.customer.tele.dk [87.59.153.66])
	by csmtp3.one.com (Postfix) with ESMTP id 42B8724061F5;
	Mon,  5 Oct 2009 21:28:46 +0000 (UTC)
Message-Id: <EDEB3D47-2E83-40D3-838B-F066C0183EA2@cederstrand.dk>
From: Erik Cederstrand <erik@cederstrand.dk>
To: Andrew Kuriger <a.kuriger@liquidphlux.com>
In-Reply-To: <d475c13f001363965f8663b073afbfcb@mail.liquidphlux.com>
Content-Type: multipart/signed; boundary=Apple-Mail-1174--554472706;
	micalg=sha1; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 5 Oct 2009 23:28:37 +0200
References: <7f1779bf9fa52b6cbf7a8384883232a6@yyc.orthanc.ca>
	<1254772966.30618.1405.camel@vcampaign>
	<d475c13f001363965f8663b073afbfcb@mail.liquidphlux.com>
X-Mailer: Apple Mail (2.936)
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-security@freebsd.org, m@micheas.net
Subject: Re: openssh concerns
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2009 21:47:42 -0000


--Apple-Mail-1174--554472706
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit


Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:

> I agree its not a bad thing to have sshd running on a non-standard  
> port,
> but just wait until the bot herder with 10,000 bots under his  
> control finds
> out what port your running it under...

It's like spam filtering: at the time this actually becomes a problem,  
we change tactics. It's not about finding the perfect solution, it's  
about having a manageable log. My log is being spammed, and changing  
the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to  
log into your nonexistent oracle account" is not a very interesting  
log message. Someone bruteforcing a valid non-trivial account name on  
a non-standard port is, even though they will never succeed.

> If your receiving 40,000 false logins a day, your either targeted, or
> extremely popular and probably shouldn't be running sshd that is  
> accessible
> via the internet anyways, aside from port knocking/VPN.

6 normal, very boring colo-servers here. 40.000 login attempts a day  
per server on port 22 sounds about right - that's still almost nothing  
translated to bandwidth. I use only key-based auth and the bots were  
still trying, som I'm pretty sure it's just someone trying to  
bruteforce every IP under the sun looking for low-hanging fruit. I  
still need ssh access for normal admin work so disabling ssh is not an  
option.

Erik
--Apple-Mail-1174--554472706--