Date: Wed, 7 Mar 2018 12:43:49 -0400 From: Duane Whitty <duane@nofroth.com> To: freebsd-questions@freebsd.org Cc: duane@nofroth.com Subject: Re: Increased abuse activity on my server Message-ID: <d27c1592-90a4-150f-2645-c56498b6570c@nofroth.com> In-Reply-To: <b1080618-5489-4321-9d1e-631f0507b80d@kicp.uchicago.edu> References: <20180307071944.GA30971@ymer.bara1.se> <20180307103136.25881537.ole@free.de> <CAFsnNZ%2Bx_2YUuNrVDjt4MXMB40W3qHeyYsNgZSWT=3a4cRTKOA@mail.gmail.com> <b1080618-5489-4321-9d1e-631f0507b80d@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18-03-07 12:17 PM, Valeri Galtsev wrote: > > > On 03/07/18 08:20, William Dudley wrote: >> This may sound stupid and obvious, but I moved my ssh port to a high >> "random" port >> number, and that completely stopped the random attempts to ssh in. I know >> that >> "security by obscurity" "doesn't work", but it did! > > No it doesn't. One mostly fools oneself by seeing less symptoms, whereas > illness is still as bad as it was (if it was there that is). Sorry, it > looks like I'm in contradictive mood, still bear with me. > Are the symptoms not diagnostic of the illness in this case or are you saying that there may be ssh login attempts that aren't being logged after being moved to a randomly selected port over 1024? That would seem unusual. Regarding ports over 1024 I agree it's true non-root users can open them but not sure what that is going to get an attacker. How does sshd listening on port 15391 etc make it more vulnerable than listening on port 22? Can you provide an example of an exploit? Also, I don't recall the OP mentioning anything about having many users ssh'ing in. Perhaps the OP is the only user that logs in for administrative purposes. Also, perhaps he already doesn't allow root logins from the Internet, he hasn't said and we haven't asked. Does moving sshd to a high port number make you all that more secure? No not really but it does avoid a lot of log activity and makes seeing real attacks easier. Combine that with sensible host and firewall policies and a large majority of attackers just aren't going to bother because it will be so much easier for them to attack someone else and have a higher probability of attack. You do make some good points though that administrators should consider when implementing systems security. Best Regards, Duane -- Duane Whitty duane@nofroth.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d27c1592-90a4-150f-2645-c56498b6570c>