[kwlug-disc] Tightening up SSH

Johnny Ferguson hyperflexed at gmail.com
Mon Jul 19 09:53:20 EDT 2010


I think I'll give this a try once I have done everything else I can. 
I've read it's not a good idea to rely on security through obscurity, 
but I guess if all other measures are in place this couldn't hurt.

One thing I find strange is that the attacker seems to be connecting via 
random port numbers. The SSH Daemon is going through the act of asking 
for a password, but if ssh is on 22, why doesn't it just flat out reject 
them?

example:

Jul 18 14:48:50 *** sshd[20358]: Invalid user gwen from 165.138.80.50
Jul 18 14:48:50 *** sshd[20358]: pam_unix(sshd:auth): check pass; user 
unknown
Jul 18 14:48:50 *** sshd[20358]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=zimbra.milan.k12.in.us
Jul 18 14:48:50 *** sshd[20358]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Jul 18 14:48:50 *** sshd[20358]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Jul 18 14:48:52 *** sshd[20357]: Failed password for invalid user sybase 
from 165.138.80.50 port 40404 ssh2
Jul 18 14:48:52 *** sshd[20358]: Failed password for invalid user gwen 
from 165.138.80.50 port 40409 ssh2

in the case of "gwen" the port is wrong, the user isn't on the 
whitelist/doesn't exist, but ssh still goes through the motions. Is 
there any reason for this? My only guess is that it would take the 
attacker more time trying a password each time than if they could just 
try again instantly if they were rejected quicker.

-Johnny

addendum: I looked up the IP, it seems to be a webmail server for a 
school. Weirdest place I could think of to start a brute force from.

On 07/19/2010 09:40 AM, Raul Suarez wrote:
> --- On Mon, 7/19/10, Darcy Casselman<dscassel at gmail.com>  wrote:
>> Along with previous suggestions, I'd
>> recommend switching to a
>> non-standard port.  It's not really security against a
>> determined
>> attacker, but it cuts out 99.99% of the random Internet
>> drive-bys.
>
> Actually this is also my recommendation. The chances that someone will scan all ports and then try to break SSH in each of them is low unless you are being purposely targeted.
>
> Raul Suarez
>
> Technology consultant
> Software, Hardware and Practices
> _________________
> Twitter: rarsamx
> http://rarsa.blogspot.com/
> An eclectic collection of random thoughts
>
>
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org





More information about the kwlug-disc mailing list