[kwlug-disc] Tightening up SSH

Andrew Kohlsmith (mailing lists account) aklists at mixdown.ca
Mon Jul 19 09:59:59 EDT 2010

On Monday, July 19, 2010 09:53:20 am Johnny Ferguson wrote:
> One thing I find strange is that the attacker seems to be connecting via
> random port numbers. The SSH Daemon is going through the act of asking
> for a password, but if ssh is on 22, why doesn't it just flat out reject
> them?

When you ssh to your server, the ssh client connects *TO* port 22 (the known 
port for ssh) but it connects *FROM* a random port number above 1024. It's 
just how TCP tends to work; nobody cares about the source port when 
establishing a connection, only the destination port determines which service 
you're interested in.

> in the case of "gwen" the port is wrong, the user isn't on the
> whitelist/doesn't exist, but ssh still goes through the motions. Is
> there any reason for this? My only guess is that it would take the
> attacker more time trying a password each time than if they could just
> try again instantly if they were rejected quicker.

This is on purpose; it prevents the attacker from knowing whether the user 
actually exists or not.  The less information the attacker has, the better.  I 
also tend to obfuscate my ssh banner for the same reason.  If they don't know 
what version or whose implementation of ssh I'm using, they don't know whether 
I am vulnerable to certain targeted attacks, and it makes them waste more of 
their time (and my bandwidth, unfortunately) in trying all these methods which 
simply won't succeed.


More information about the kwlug-disc mailing list