[kwlug-disc] Tightening up SSH

John Van Ostrand john at netdirect.ca
Mon Jul 19 20:10:42 EDT 2010


----- Original Message -----
> # nmap -sS -p 22,122,222,2022,2222 ip.address.or.net
> 
> Yes, but that is a hypothetical situation, or a targeted attack
> (deliberately wanting to penetrate this specific server).

Okay, how about:

# nmap -sS -p 22,122,222,2022,2222 0.0.0.0/0

(then wait a long time) 

It will scan the entire public address space of the Internet and some ;) Add a grep, sed and use it as input for a worm.

> A targeted attack may succeed that way, and honestly, probably no one
> can prevent a targeted attack, only delay it.
> sS -p 22,122,222,2022,2222
> But for the random scans that happen every hour on the net, the bots
> scan for common exploits and that means port 22 for ssh.
> 
> Run it on another port and 99% of scans for ssh will go away. You are
> less vulnerable (note: less vulnerable != more secure), but also there
> is less noise in the logs, less use of disk space, and less resources
> used by these attacks.

Using obfuscation without also addressing known vulnerabilities is a defence that will only last so long. Correcting the known vulnerabilities adds much more time. Continuing to correct known vulnerabilities as they are found adds the most time.

I should know. I took the path of simple obfuscation years ago and became tired of how often I was bit in the ass.

I know you agree with this. I just have to re-iterate in case someone reads this email out of context.

And to be clear I also believe that right now the port change obfuscation works pretty well all by itself. Suggesting that this is a good defence may lead readers down a road of relying on simple obfuscation that will dead-end. The mentality of using simple obfuscation is a recipe for failure.

It's far easier in my opinion and experience to use proper techniques now and avoid an intrusion in the future. A stitch in time...

-- 
John Van Ostrand 
CTO, co-CEO 
Net Direct Inc. 
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6 
Ph: 866-883-1172 x5102 
Fx: 519-883-8533 

Linux Solutions / IBM Hardware 




More information about the kwlug-disc_kwlug.org mailing list