[kwlug-disc] Tightening up SSH
John Van Ostrand
john at netdirect.ca
Mon Jul 19 20:10:42 EDT 2010
----- Original Message -----
> # nmap -sS -p 22,122,222,2022,2222 ip.address.or.net
> Yes, but that is a hypothetical situation, or a targeted attack
> (deliberately wanting to penetrate this specific server).
Okay, how about:
# nmap -sS -p 22,122,222,2022,2222 0.0.0.0/0
(then wait a long time)
It will scan the entire public address space of the Internet and some ;) Add a grep, sed and use it as input for a worm.
> A targeted attack may succeed that way, and honestly, probably no one
> can prevent a targeted attack, only delay it.
> sS -p 22,122,222,2022,2222
> But for the random scans that happen every hour on the net, the bots
> scan for common exploits and that means port 22 for ssh.
> Run it on another port and 99% of scans for ssh will go away. You are
> less vulnerable (note: less vulnerable != more secure), but also there
> is less noise in the logs, less use of disk space, and less resources
> used by these attacks.
Using obfuscation without also addressing known vulnerabilities is a defence that will only last so long. Correcting the known vulnerabilities adds much more time. Continuing to correct known vulnerabilities as they are found adds the most time.
I should know. I took the path of simple obfuscation years ago and became tired of how often I was bit in the ass.
I know you agree with this. I just have to re-iterate in case someone reads this email out of context.
And to be clear I also believe that right now the port change obfuscation works pretty well all by itself. Suggesting that this is a good defence may lead readers down a road of relying on simple obfuscation that will dead-end. The mentality of using simple obfuscation is a recipe for failure.
It's far easier in my opinion and experience to use proper techniques now and avoid an intrusion in the future. A stitch in time...
John Van Ostrand
Net Direct Inc.
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
Ph: 866-883-1172 x5102
Linux Solutions / IBM Hardware
More information about the kwlug-disc_kwlug.org