SSH hacked?

Mark Haney mhaney at ercbroadband.org
Tue Jan 13 22:20:08 UTC 2009 

Karl Larsen wrote:
> Res wrote:
>   
>> On Tue, 13 Jan 2009, Kent Borg wrote:
>>
>>   
>>     
>>> My first suggestion for keeping ssh secure was to have long, quality
>>> passwords that are not recycled. Judging from the fact that I am the
>>>     
>>>       
>> Fully agree
>>
>>   
>>     
>>> Conclusion: Moving sshd to a different port is a distraction from real
>>> issues of security.
>>>     
>>>       
>> Agreed
>>
>>
>>   
>>     
>>> you don't recycle on different systems), a maintained system is NOT
>>> vulnerable to a brute force attack. Repeat, it is NOT vulnerable to a
>>>     
>>>       
>> Disagree, given time, anything is possible.
>>
>>   
>>     
>>> Instead of wasting your time hiding your sshd where any port scan will
>>> find it, ask yourself the above question, honestly answer it, and act on
>>> the answer.
>>>     
>>>       
>> Leave it on 22, have quality passwords and iptables accept rules for only 
>> authorised IP's, and yes thats still a risk, becuase you dont know if an 
>> auth'd IP box was taken or not, there is no substitute for long and 
>> complicated passwords (lengthy mixed upper and lowercase with numbers) 
>> most systems these days allow for at least 16 chars in a password, most a
>> hell of a lot more.
>>
>>   
>>     
>>>  sudo iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
>>>  sudo iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
>>>     
>>>       
>> I agree with this, however I use 4 hitcounts :)
>>
>>
>>   
>>     
>     I am ssh to my big 8.04 home computer from my 8.10 laptop. It is 
> through 2 routers and works fine.
>
>     Tested and the ssh demon seems to have a drop out point after 3 
> wrong passwords. So it appears that a person trying to gain access has 
> to reconnect after  each three tries. This should slow down the breaking 
> in :-)
>
> Karl
>
>
>   
This is not as big a deterrent as you think.  A typical 'brute force' 
attack nowadays is usually 6 to seven tries an IP over the course of 
weeks or months.  This does two things, it narrows down potential 
usernames (and passwords) and makes it harder to protect against.  
That's why I use fail2ban.  Most users don't change passwords often (or, 
indeed at all) so this type of attack is more successful than you would 
think.  Granted using strong passwords helps but no matter how strong it 
is, if you don't change it regularly, it'll get hacked.


-- 
Mark Haney
mhaney at ercbroadband.org
Fedora release 9 (Sulphur)
 Kernel: 2.6.25.10-86.fc9.i686 GNU/Linux

 16:31:50 up 3 days,  6:20,  2 users,  load average: 0.96, 0.77, 0.85

More information about the ubuntu-users mailing list