Security Incidents mailing list archives
Re: SSH attacks?
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 30 Jul 2004 19:05:23 -0500
On Thu, 2004-07-29 at 19:38, Jay D. Dyson wrote:
That practice affords no security benefit. Any scanner worth its salt (no pun...really) can identify a service even if it's running on a non-standard port. Nessus does this, as do a host of other scanners.
I beg to differ. Yeah, Nessus and decent scanners will identify SSH on other ports, but the script kiddies, "nmap -sS -p 22" type scans, and any worms or automated attack tools will most likely miss it. I'm sure you know about low-hanging fruit. I believe changing to a different port is like hanging your fruit a bit higher. Let the masses reach for "the other guys" SSH port instead... Sure, that concept (changing ports, call it obfuscation if you must) doesn't increase security of your host, but it alters the threat level in your favor.
For my own part, I set my firewall rulesets to default deny any IP that is not specifically blessed for interactive login. For example, I do not have any users who live in Asia, Europe, Canada, South America or Africa. Thus, those netblocks are not allowed to connect on 22/TCP. This helps limit the attack vectors while still allowing my users access to the systems they require.
This is certainly the best way to approach this. Blocking all by default, and allowing only access to SSH from those networks where you know you or your users are in. The same should also be applied to any other type of VPN, being it IPSec or PPTP or whatever. While authentication is required, there is still no reason to expose the interface to the whole world. It would help security greatly to default-block and allow VPN access from those areas from which access is expected. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)