[kwlug-disc] Tightening up SSH
Andrew Kohlsmith (mailing lists account)
aklists at mixdown.ca
Mon Jul 19 09:59:59 EDT 2010
On Monday, July 19, 2010 09:53:20 am Johnny Ferguson wrote:
> One thing I find strange is that the attacker seems to be connecting via
> random port numbers. The SSH Daemon is going through the act of asking
> for a password, but if ssh is on 22, why doesn't it just flat out reject
> them?
When you ssh to your server, the ssh client connects *TO* port 22 (the known
port for ssh) but it connects *FROM* a random port number above 1024. It's
just how TCP tends to work; nobody cares about the source port when
establishing a connection, only the destination port determines which service
you're interested in.
> in the case of "gwen" the port is wrong, the user isn't on the
> whitelist/doesn't exist, but ssh still goes through the motions. Is
> there any reason for this? My only guess is that it would take the
> attacker more time trying a password each time than if they could just
> try again instantly if they were rejected quicker.
This is on purpose; it prevents the attacker from knowing whether the user
actually exists or not. The less information the attacker has, the better. I
also tend to obfuscate my ssh banner for the same reason. If they don't know
what version or whose implementation of ssh I'm using, they don't know whether
I am vulnerable to certain targeted attacks, and it makes them waste more of
their time (and my bandwidth, unfortunately) in trying all these methods which
simply won't succeed.
-A.
More information about the kwlug-disc
mailing list