[Gllug] ssh attacks

Russell Howe rhowe at siksai.co.uk
Fri Feb 3 12:20:32 UTC 2006


On Fri, Feb 03, 2006 at 11:29:36AM +0000, Bruce Richardson wrote:
> On Fri, Feb 03, 2006 at 10:39:11AM +0000, John wrote:
> > Am I right in assuming changing the ssh port is pointless
> 
> Moving the port would not protect you from a deliberate, targetted
> attack by someone who had purposely singled you out, but it would
> protect you from these automated attacks (or at least 99.9% of them).

It would also be quite likely to mean you didn't fall prey to some 0day
worm which went around trying to exploit some hiterto unknown bug in
your sshd, since it's highly likely such a thing would also only try
TCP port 22.

Recently a package called 'denyhosts' entered Debian unstable:

Description: an (sic) utility to help sys admins thwart ssh hackers
 DenyHosts is a python program that automatically blocks ssh
 brute-force attacks by adding entries to /etc/hosts.deny.
 It will also inform Linux administrators about offending
 hosts, attacked users and suspicious logins.
 .
 Differently from other software that do same work, denyhosts
 doesn't need support for packet filtering or any other kind
 of firewall in your kernel


I'm not sure it's worth it though. Just make sure that your passwords
are 'strong enough', and configure sshd to offer only the services you
need.

If you're also worried about the daemon being exploitable, then you will
want to take further measures, such as filtering connections to the sshd
port using a packet filtering firewall, or even setting up something
like port knocking (which I don't really like the idea of - as an
authentication protocol, it's vulnerable to a replay attack, unless you
determine the ports to be knocked via a OTP or other cryptographic
method, and if you start doing that, you're developing a full-blown
authentication protocol and you'll probably be better off using one of
the well-known, publically scrutinised ones like, say, the one built
into sshd :).

Still, I guess port knocking has its place as a method of obfuscation if
you're practising "security in depth" etc. It should at least thwart
some (most?) attackers, freeing you to concentrate on defending against
concerted attacks (which you might decide is too difficult to do, and
leave it at that).

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list