[kwlug-disc] Tightening up SSH
unsolicited at swiz.ca
Mon Jul 19 23:55:30 EDT 2010
Brad Bierman wrote, On 07/19/2010 11:35 PM:
> I will weigh in here as well (even if I am really late).
> I agree that changing the port from 22 is just a security through
> obscurity, but it also tells you the level of commitment/sophistication
> of the attacker and doesn't fill up your logs. I have found that having
> lots of false positives (trying a user name that will not work or
> dictionary attacks) can hide the attacks that you are worried about. In
> three years on my own systems I have not seen attacks against my ssh
> ports, but before I was getting about 1MB of logs a day in just brute
> force attacks that would not succeed.
> Here is a good writeup about different ways to deal with the attacks. I
> am adding it to the conversation just for completeness.
> Most will not know what port knocking is so here is another explanation.
> My last suggestion is to use the country to IP address
> (http://www.countryipblocks.net/) to filter out countries that you don't
> want access to your systems ssh port. This can be done in your iptables
> config. This will also cut down on the size of your logs.
Fair point. I actually assumed, early on in this thread, that one's
gateway was filtering against bogons, martians, etc. (both ways). [Let
alone, help prevent something that sneaks in from taking down your
Roger's internet service.] Adding additional IPs (e.g. foreign
countries) only makes sense. Which probably, to some extent, further
reduces log size and eye time.
More information about the kwlug-disc