Date: Wed, 7 Mar 2018 11:12:34 -0600 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: Duane Whitty <duane@nofroth.com>, freebsd-questions@freebsd.org Subject: Re: Increased abuse activity on my server Message-ID: <2a1e844e-e2ba-5b43-9dd7-cd69915e12b4@kicp.uchicago.edu> In-Reply-To: <d27c1592-90a4-150f-2645-c56498b6570c@nofroth.com> References: <20180307071944.GA30971@ymer.bara1.se> <20180307103136.25881537.ole@free.de> <CAFsnNZ%2Bx_2YUuNrVDjt4MXMB40W3qHeyYsNgZSWT=3a4cRTKOA@mail.gmail.com> <b1080618-5489-4321-9d1e-631f0507b80d@kicp.uchicago.edu> <d27c1592-90a4-150f-2645-c56498b6570c@nofroth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/07/18 10:43, Duane Whitty wrote: > On 18-03-07 12:17 PM, Valeri Galtsev wrote: >> >> >> On 03/07/18 08:20, William Dudley wrote: >>> This may sound stupid and obvious, but I moved my ssh port to a high >>> "random" port >>> number, and that completely stopped the random attempts to ssh in. I know >>> that >>> "security by obscurity" "doesn't work", but it did! >> >> No it doesn't. One mostly fools oneself by seeing less symptoms, whereas >> illness is still as bad as it was (if it was there that is). Sorry, it >> looks like I'm in contradictive mood, still bear with me. >> > > Are the symptoms not diagnostic of the illness in this case or are you > saying that there may be ssh login attempts that aren't being logged > after being moved to a randomly selected port over 1024? That would > seem unusual. > > Regarding ports over 1024 I agree it's true non-root users can open them > but not sure what that is going to get an attacker. How does sshd > listening on port 15391 etc make it more vulnerable than listening on > port 22? Can you provide an example of an exploit? I normally don't like to answer things when my original point that is being discussed is edited away. I still will just reiterate here that if you don't see any bad in using port above 1024, then it will take me writing a book and having you read that which is impractical. We'll see if someone chimes in. And by no means I intended to state some bad practice on its own creates "and exploit". Still sysadmins stick to good practices, you should be able to tell yourself why. > > Also, I don't recall the OP mentioning anything about having many users > ssh'ing in. Perhaps the OP is the only user that logs in for > administrative purposes. > > Also, perhaps he already doesn't allow root logins from the Internet, he > hasn't said and we haven't asked. > > Does moving sshd to a high port number make you all that more secure? > No not really but it does avoid a lot of log activity and makes seeing > real attacks easier. Combine that with sensible host and firewall > policies and a large majority of attackers just aren't going to bother > because it will be so much easier for them to attack someone else and > have a higher probability of attack. > > You do make some good points though that administrators should consider > when implementing systems security. > Thank you. I am just repeating what I learned, and a lot of it comes from clever people one lists like this one. They are to be credited, not I ;-) Valeri > > Best Regards, > Duane > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2a1e844e-e2ba-5b43-9dd7-cd69915e12b4>