Security Incidents mailing list archives
Re: SSH attacks?
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Thu, 29 Jul 2004 17:38:34 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Jul 2004, Pieter-Bas IJdens wrote:
If you are so worried about SSH security who don't you just run sshd on a non-standard port.
That practice affords no security benefit. Any scanner worth its salt (no pun...really) can identify a service even if it's running on a non-standard port. Nessus does this, as do a host of other scanners. For my own part, I set my firewall rulesets to default deny any IP that is not specifically blessed for interactive login. For example, I do not have any users who live in Asia, Europe, Canada, South America or Africa. Thus, those netblocks are not allowed to connect on 22/TCP. This helps limit the attack vectors while still allowing my users access to the systems they require. For now, I think we need to spend a little more time getting to the bottom of *why* we're seeing this uptick in scans. Someone openly postulated that a distro mirror may have been compromised and the injection of a trojaned SSHd may be in play. While I don't have any evidence to support this, a number of the conditions we've seen of late (same login ID from various IPs across the globe, for instance) does support this possibility. Now it's up to us to determine the source of this trojan SSHd and put it out of our misery. Them's me thoughts. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) | = |-' `--' `--' `-------- I am the terror of my enemies. --------' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFBCZiR6uxsHJ5aYG4RApYKAJ0ZP/8e9eb6W5qEWXGcjtdSOnCDJQCbBU0S h1smeLNWPRkY9tKJbr/kvVY= =GqPs -----END PGP SIGNATURE-----
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)