[Gllug] ssh brute force attacks

Bruce Richardson itsbruce at workshy.org
Mon Dec 8 17:52:24 UTC 2008


On Mon, Dec 08, 2008 at 03:48:22PM +0000, Alain wrote:
> 
> I don't really see the point of running ssh on anything other than port 22 - that
> would be defeated with a port scan.

The likelihood of you being directly targetted by a malicious attacker
who will work methodically to discover what you are running on every
port is tiny.  The chance of you being attacked by bots that only look
at port 22 for ssh is 100%.  Listening on a different port will give you
complete protection against the latter and will at least inconvenience
the former.  Consider that zero day attacks are almost always launched
by the latter, not the former.  Also that the number of places where
egress to port 22 is blocked is rather higher than those which block
more mundane services.

> 
> Anyone implemented port knocking - as much as in a SSH client as the server ?

I use two layers of port knocking (completely different implementations
at either end of a DMZ) as well as having ssh listening on a port other
than 22 (amongst other precautions).  You can implement a "knocker"
anywhere you have netcat and sh.  On more limited platforms (e.g.
PalmOS), I have managed to improvise.

-- 
Bruce

If the universe were simple enough to be understood, we would be too
simple to understand it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20081208/c4febe5b/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list