[kwlug-disc] Tightening up SSH

unsolicited unsolicited at swiz.ca
Mon Jul 19 23:55:30 EDT 2010


Brad Bierman wrote, On 07/19/2010 11:35 PM:
> I will weigh in here as well (even if I am really late).
> 
> I agree that changing the port from 22 is just a security through 
> obscurity, but it also tells you the level of commitment/sophistication 
> of the attacker and doesn't fill up your logs. I have found that having 
> lots of false positives (trying a user name that will not work or 
> dictionary attacks) can hide the attacks that you are worried about.  In 
> three years on my own systems I have not seen attacks against my ssh 
> ports, but before I was getting about 1MB of logs a day in just brute 
> force attacks that would not succeed.
> 
> Here is a good writeup about different ways to deal with the attacks.  I 
> am adding it to the conversation just for completeness.
> http://www.la-samhna.de/library/brutessh.html
> 
> Most will not know what port knocking is so here is another explanation.
> http://www.portknocking.org/
> 
> My last suggestion is to use the country to IP address 
> (http://www.countryipblocks.net/) to filter out countries that you don't 
> want access to your systems ssh port.  This can be done in your iptables 
> config.  This will also cut down on the size of your logs.

Fair point. I actually assumed, early on in this thread, that one's 
gateway was filtering against bogons, martians, etc. (both ways). [Let 
alone, help prevent something that sneaks in from taking down your 
Roger's internet service.] Adding additional IPs (e.g. foreign 
countries) only makes sense. Which probably, to some extent, further 
reduces log size and eye time.

http://www.team-cymru.org/Services/Bogons/



More information about the kwlug-disc_kwlug.org mailing list