Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Oct 2011 10:54:49 -0400
From:      Michael Powell <nightrecon@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Breakin attempt
Message-ID:  <j7ulf8$k9d$1@dough.gmane.org>
References:  <000001cc90c0$a0c16050$e24420f0$@org> <4EA2CE72.5030202@cran.org.uk> <20111022161242.11803f76.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Polytropon wrote:

> On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote:
>> I suspect that these sorts of attacks are fairly normal if you're
>> running ssh on the standard port. I used to have lots of 'break-in
>> attempts' before I moved the ssh server to a different port.
> 
> Is there _any_ reason why moving from port 22 to something
> different is _not_ a solution?
> 
> Reason why I'm asking: Moving SSH away from its default port
> seems to be a relatively good solution as break-in attempts
> concentrate on default ports. So in case a sysadmin decides
> to move SSH to a "hidden" location, what could be an argument
> against this decision?
> 

One such relatively minor argument might be the use by external entities for 
the ability to connect in a standardized way. Such a client may need to 
connect but has no way of knowing in advance what port to use. The only 
readily available means for them to locate you might be DNS, with them only 
knowing you by hostname. 

I tend to discount this as they would still need some form of auth, whether 
a user account/password combination or a certificate. In either case, this 
needs to be configured in advance - so there's no reason a port number 
couldn't be included when communicating how to login to the third party.

There is also some remote possibility that the third party has some internal 
(albeit brain-dead) policy of mandating the use of some software that cannot 
be configured to use a port other than 22. I would consider such a software 
to be inherently 'broken by design', and not a good enough reason for me to 
'break' my system just to make them happy. After all, aren't they the ones 
who want to connect to me and shouldn't the responsibility be on them to do 
it in accordance with what I have configured?

I restrict any SSH access to my systems to certificate only, with password 
turned off. Only a trusted few will have these certificates, and these people 
will know what port to use because I told them. Just changing the port to 
some high number non well-known will not entirely stop a port scan if said 
scan is walking up every single port one after another. But simply changing 
it to something like 42347 works wonders for knocking down about 90% of 
script-kiddies.

I just don't see SSH as the best tool for giving anonymous remote-access to 
the general public of the IntarWebZ in general. If access is not anonymous 
there must be some admin config done previous to the access. Providing 
anonymous access via SSH sort of defeats the purpose for using SSH in the 
first place.   :-)

Just my $.02 - Mike





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?j7ulf8$k9d$1>