Date: Mon, 15 Jan 2007 21:19:01 +0200 From: Alexander Mogilny <sg@sg.org.ua> To: freebsd-questions@FreeBSD.ORG Subject: Re: Please Help! How to STOP them... Message-ID: <7B81A774-5A00-4D56-8363-3F7E96F0EECA@sg.org.ua> In-Reply-To: <200701151705.l0FH5Utj085225@lurza.secnetix.de> References: <200701151705.l0FH5Utj085225@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15 =D1=8F=D0=BD=D0=B2. 2007, at 19:05, Oliver Fromme wrote: > Gerard Seibert wrote: >> Reko Turja wrote: >>> Moving your sshd port somewhere else than 22 - the prepackaged >>> "cracking" programs don't scan ports, just blindly try out the =20 >>> default >>> port - with determined/skilled attacker it's different matter =20 >>> entirely >>> though. >> >> Security through Obscurity is not true security at all. You are =20 >> simply >> assuming that other ports are not being scanned. > > I don't think he's assuming that. He is just suggesting an > effective solution to the problem that hundreds of failed > login attempts are filling the OP's logs and cron mails. > He didn't claim that it increases security. > > In fact, I would also recommend to move the ssh service > from port 22 to a different, non-standard port if possible. > If you want, you can even have the sshd daemon listen on > _both_ port 22 _and_ your non-standard port 122, and limit > access to port 22 to a few well-known IP addresses, using > a packet filter. That way you diminish the usual "blind" > attempts on port 22, but you can still login using the > non-standard port if you happen to come from an unknown > IP address, so you don't lock yourself out. > > Of course, it is important to understand that changing > the port number will not significantly increase security. > However, it might give you a slight advance when yet > another ssh security bug is discovered and exploits start > circulating while you're asleep. Usually the first > exploits are quick and dirty hacks which have port 22 > hardcoded, and most script kiddies who blindly scan > random networks don't have enough clue to change it. ;-) > > Of course, you still need to patch or update your sshd > as quickly as possible if necessary, and you still need > to use good passwords, or -- even better -- don't use > passwords at all, but use key-based authentication. > Another thing that might be useful are one-time passwords > (OPIE), especially when you're connection from a foreign > client such as a public terminal. > > Best regards > Oliver It is quite correct but too paranoic. You may consider trying to use security/bruteblock or security/bruteforceblocker. These programs are very easy to configure and give you notifications on ssh bruteforce attacks. --=20 AIM-UANIC | AIM-RIPE +-----[ FreeBSD ]-----+ Alexander Mogilny | The Power to Serve! | <> sg@sg.org.ua +---------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7B81A774-5A00-4D56-8363-3F7E96F0EECA>