From owner-freebsd-questions@FreeBSD.ORG Mon Jan 15 17:05:38 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 79A3216A412 for ; Mon, 15 Jan 2007 17:05:38 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id DE1BB13C45A for ; Mon, 15 Jan 2007 17:05:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (uhktgb@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l0FH5UQc085226 for ; Mon, 15 Jan 2007 18:05:35 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l0FH5Utj085225; Mon, 15 Jan 2007 18:05:30 +0100 (CET) (envelope-from olli) Date: Mon, 15 Jan 2007 18:05:30 +0100 (CET) Message-Id: <200701151705.l0FH5Utj085225@lurza.secnetix.de> From: Oliver Fromme To: freebsd-questions@FreeBSD.ORG In-Reply-To: <20070112174744.37AD.GERARD@seibercom.net> X-Newsgroups: list.freebsd-questions User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 15 Jan 2007 18:05:36 +0100 (CET) Cc: Subject: Re: Please Help! How to STOP them... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@FreeBSD.ORG List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 17:05:38 -0000 Gerard Seibert wrote: > Reko Turja wrote: > > Moving your sshd port somewhere else than 22 - the prepackaged > > "cracking" programs don't scan ports, just blindly try out the default > > port - with determined/skilled attacker it's different matter entirely > > though. > > Security through Obscurity is not true security at all. You are simply > assuming that other ports are not being scanned. I don't think he's assuming that. He is just suggesting an effective solution to the problem that hundreds of failed login attempts are filling the OP's logs and cron mails. He didn't claim that it increases security. In fact, I would also recommend to move the ssh service from port 22 to a different, non-standard port if possible. If you want, you can even have the sshd daemon listen on _both_ port 22 _and_ your non-standard port 122, and limit access to port 22 to a few well-known IP addresses, using a packet filter. That way you diminish the usual "blind" attempts on port 22, but you can still login using the non-standard port if you happen to come from an unknown IP address, so you don't lock yourself out. Of course, it is important to understand that changing the port number will not significantly increase security. However, it might give you a slight advance when yet another ssh security bug is discovered and exploits start circulating while you're asleep. Usually the first exploits are quick and dirty hacks which have port 22 hardcoded, and most script kiddies who blindly scan random networks don't have enough clue to change it. ;-) Of course, you still need to patch or update your sshd as quickly as possible if necessary, and you still need to use good passwords, or -- even better -- don't use passwords at all, but use key-based authentication. Another thing that might be useful are one-time passwords (OPIE), especially when you're connection from a foreign client such as a public terminal. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. cat man du : where Unix geeks go when they die