SSH hacked?

[NoOp]

On 01/13/2009 08:45 AM, Kent Borg wrote:
> NoOp wrote:
>> [on moving sshd to different ports being a silly distraction] Really? I reckon that's your opinion, but I'd have to disagree.
>>   
> 
> Passwords are hard to manage. Every system that issues you an account
> seems to think that that is your only password in the world. But it
> isn't. We all have a zillion accounts, all with passwords or PINs, and
> managing them is difficult--so the obvious reaction is to have a small
> set of passwords and reuse (or recycle) them on multiple accounts.
> 
> My first suggestion for keeping ssh secure was to have long, quality
> passwords that are not recycled. Judging from the fact that I am the
> only person I know who does not recycle passwords, this is a RADICAL
> suggestion! Yet it prompted no reaction. People kept talking about
> moving sshd to different ports.

You seemed to miss the response of "All good points"...

> 
> Conclusion: Moving sshd to a different port is a distraction from real
> issues of security. (Like the old joke about the drunk looking for his
> keys under the street light because it is easier to see there--no matter
> that he dropped in the dark alley.)

Yeah, well if the keys are in the dark alley, it is quite unlikely that
the drunk will find them looking under the streetlight...

> 
> If you have a quality pasword that you don't give to others (that is,
> you don't recycle on different systems), a maintained system is NOT
> vulnerable to a brute force attack. Repeat, it is NOT vulnerable to a
> brute force attack. Period. Moving sshd to a different port accomplishes
> nothing good but shrinking your log files a little, but it does risk
> doing damage: if it gives you a false sense of security such that you
> continue to use poor passwords or tell others your passwords (by reusing
> them elsewhere), that complacency will make matters worse.
> 
> Is your password both high quality and secret? Well, IS it??

Bit excited there eh? The answer is YES. I've been doing passwords for
nigh on 35 years now; including 7 years working in government ciphony in
the 70's and 80's, so I'm pretty well versed on how to manage my passwords.

> 
> If yes: Then quit worrying. Trust ssh to do its job.

The _suggestion_ to use a different port is just that, a *suggestion* to
make it harder/more difficult for the bots that purposely scan 22 to
find. The same is applicable to VNC ports and the like. Given the
security issues with ssh in the recent past, I seldom trust any security
program to just do it's job... You do realize that we are actually
talking about OpenSSH here & remember the OpenSSH 2008:

http://www.ubuntu.com/usn/

That is not to say that ssh shouldn't be trusted, at least not to the
extent that any other (ssl for example) similar "secure"
protocol/application can't be trusted. However, it is important to
realize that anything, and I do mean anything, can be
compromised/hacked/cracked/exploited eventually. The most common method
for this is the human factor; those that believe their passwords are
clever, impervious, and secure, only to stick them on a Post-It note and
stick it on their termial or under their keyboard, etc.

> 
> If no: Get a better password. And this time don't give anyone else a
> copy of it (i.e., don't reuse it elsewhere).

Don't forget to manage it properly. And who implied that I'd given
anyone else a copy of my password(s)?

> 
> 
> Instead of wasting your time hiding your sshd where any port scan will
> find it, ask yourself the above question, honestly answer it, and act on
> the answer.

Instead of wasting everyone's time discounting an added suggestion of
altering well known ports (yes I do realize that obfuscation is not a
panecea for security), why don't you try as I suggested? Put a machine
w/ssh on an open DSL/Cable modem and watch your logs for a few days?
You'll need to keep your IP the same during the test.

I think you will find that the existing bots out there will in fact
eventually pickup your port 22, and the scripts will pass that along to
other bot machines. The result is sort of like flies drawn to honey;
eventually multiple bots will start dictionary ssh attempts.

While there are all sorts of pros/cons regarding obfuscating
ports/services (as others have pointed out), I fail to understand your
outright dismissal of the suggestion. Bot scripts are typically not
written to sit on an IP and do a full scan of services; to do so would:
1) take to long, and 2) would likely draw attention to the scan due to
the length of the scan. Instead most will instead be programmed to look
for common exploitable ports, check those, and move on.
Note: I've no proof of that last statement, but I'm pretty sure that
some digging can probably provide verification.

> 
> 
> A serious flaw in my harping on using quality passwords is that even if
> you have wonderful long passwords, if you have guests on your system
> with poor passwords, their accounts will still be vulnerable. A good way
> to improve this is to rate-limit connections. 

Perhaps googling for denyhosts & fail2ban et al as suggested would work
instead?

I also note that the OP actually had denyhosts installed and his
auth.log shows that the he wasn't hacked afterall. However he can verify
if 85.92.138.150 actually got blocked by looking at his /etc/hosts.deny
file.

[snip]
> 
> 
> P.S. Keeping your password secret includes not typing it on a spyware
> loaded computer that is recording your keystrokes. That is why I don't
> use my Windows computer at work to log into my system at home, I don't
> think that computer is infected, but I don't trust Windows in general, I
> use my personal Ubuntu notebook instead.
> 

Now that's just plain silly. Perhaps you should look into securing your
Windows computer as well and looking into secure VPN's.