SSH hacked?

NoOp glgxg at sbcglobal.net
Tue Jan 13 02:59:39 UTC 2009


On 01/12/2009 05:56 PM, Kent Borg wrote:
> Protect ssh with the following:
> 
> 1. If using passwords, use long, quality passwords--passwords that are
> *not* recycled elsewhere.
> 2. If using keys, protect your private keys *very* carefully.
> 3. If offering accounts to others, worry that they also follow #1 and #2.

All good points
> 
> ssh is a very secure protocol. If you have good keys/passwords, no
> script kiddie (or even serious foe) is going to break in with a
> brute-force attack. 

Agreed.

Moving your sshd to an alternate port number is a
> silly distraction.

Really? I reckon that's your opinion, but I'd have to disagree.

https://help.ubuntu.com/community/AdvancedOpenSSH
<https://help.ubuntu.com/community/AdvancedOpenSSH#Start%20sshd%20on%20a%20Different%20Listening%20Port>


<http://isc.sans.org/port.html?port=22&repax=1&tarax=2&srcax=2&percent=N&days=70>

Indicates 22 is a pretty prime target.

vs a more obscure 100 for instance:

<http://isc.sans.org/port.html?port=100&repax=1&tarax=2&srcax=2&percent=N&days=70>

That said, I doubt any port is safe without basic common sense security
(your 1 & 2 for example). However to call taking added measures such as
using an alternate port for a well known target a "silly distraction"
is, IMO, pretty silly in itself. To do so certainly doesn't hurt
anything. Further, once a script et al tags your 22, then it's
relatively easy to add your IP to the script lists, pass them along and
have other scripts/bots hammer away. It's considerably easier to do this
than to create a special bot script that says "this IP is running sshd
but it is on port xyz rather than 22".

Do a simple test; put up a machine on a naked dsl modem (no router or
denyhosts) for a few days and check the auth.log to see how many
dictionary attack attempts are attempted on 22.









More information about the ubuntu-users mailing list