[kwlug-disc] Tightening up SSH

Andrew Kohlsmith (mailing lists account) aklists at mixdown.ca
Mon Jul 19 09:59:59 EDT 2010


On Monday, July 19, 2010 09:53:20 am Johnny Ferguson wrote:
> One thing I find strange is that the attacker seems to be connecting via
> random port numbers. The SSH Daemon is going through the act of asking
> for a password, but if ssh is on 22, why doesn't it just flat out reject
> them?

When you ssh to your server, the ssh client connects *TO* port 22 (the known 
port for ssh) but it connects *FROM* a random port number above 1024. It's 
just how TCP tends to work; nobody cares about the source port when 
establishing a connection, only the destination port determines which service 
you're interested in.

> in the case of "gwen" the port is wrong, the user isn't on the
> whitelist/doesn't exist, but ssh still goes through the motions. Is
> there any reason for this? My only guess is that it would take the
> attacker more time trying a password each time than if they could just
> try again instantly if they were rejected quicker.

This is on purpose; it prevents the attacker from knowing whether the user 
actually exists or not.  The less information the attacker has, the better.  I 
also tend to obfuscate my ssh banner for the same reason.  If they don't know 
what version or whose implementation of ssh I'm using, they don't know whether 
I am vulnerable to certain targeted attacks, and it makes them waste more of 
their time (and my bandwidth, unfortunately) in trying all these methods which 
simply won't succeed.

-A.




More information about the kwlug-disc_kwlug.org mailing list