Date: Mon, 8 Mar 2010 11:56:08 -0600 From: Jason Garrett <kingedgar@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <970380131003080956u375be282wd5e5e4445841146f@mail.gmail.com> In-Reply-To: <4B942D4B.6070407@locolomo.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B91B36D.1020507@locolomo.org> <20100307204114.GK16274@mail2.dcoder.net> <4B942D4B.6070407@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 7, 2010 at 16:48, Erik Norgaard <norgaard@locolomo.org> wrote: > On 07/03/10 21:41, dacoder wrote: > > has anybody suggested having sshd listen on a high port? >> > > Any number will do, think about it: > > a. The attacker doesn't really care which host is compromised any will do= , > and better yet someones home box as it is more difficult to trace him. In > that case he will scan large ip-ranges for hosts listening on port 22. > > b. The attacker wants to gain control of a particular server. In that cas= e > he will scan all ports to see what services are running and determine whi= ch > services are running on each port. In that case running ssh on a > non-standard port is futile. > > However, I'm not really a fan of using non-standard ports for ssh, I don'= t > believe it's the right solution to the problem: You have ssh access to th= e > outside because people travel and need remote access. In that case they > might find themselves under other security policies which block access to > services deemed unnecessary. Running ssh on a non-standard port is likely= to > be blocked on the client network - unless you run on, say, port 80. > > The more uses you have, the more problems you will have running ssh on a > non-standard port, the time you save checking your logs may easily be spe= nt > on end user support. > > OP referred to significant impact on bandwidth which I find difficult to > believe. In case connections come from a single ip at a time then you sho= uld > tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of > concurrent un-authenticate connections and slow down brute force attacks. > > Much better, restrict the client access to certain ranges of IPs. The > different registries publish ip ranges assigned per country and you can > create a list blocking countries you are certain not to visit, you can us= e > my script: > > http://www.locolomo.org/pub/src/toolbox/inet.pl > > Great script! Just one question. Where do you put the list of denied ip ranges? > > BR, Erik > > -- > Erik N=F8rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?970380131003080956u375be282wd5e5e4445841146f>