SSH hacked?

Rashkae ubuntu at
Wed Jan 14 16:20:36 UTC 2009

Kent Borg wrote:
> NoOp wrote:
>> why don't you try as I suggested? Put a machine w/ssh on an open
>> DSL/Cable modem and watch your logs for a few days?
> I don't need to put up such a test, I already have such a thing.
> Checking the log file is quite easy...
> [check, check. check]
> As always, there have been break in attempts. These attempts came from
> different IP addresses, and you suggested I will attract attacks like
> flies to honey--but for the moment let's assume you are wrong on that
> point and assume that these attacks are really just a single coordinated
> attacker.
> Some of the attacks are against randomly chosen user names, but most are
> against root and that matters most, so let's look at the root attacks:
> Based on the number of attempts in this sample and the entropy in my
> root password, at minimum it will take over 2,500 years for a single
> coordinated attacker to have a 50-50 chance of getting in. Further, if
> the attacker doesn't know the format ("recipe") of my root password, the
> effective entropy soars to a much higher figure--to estimate
> conservatively it would take many octillion years of attempts to get to
> the 50-50 point.
> Conclusion: No attacker is going to get root on this machine via a brute
> force attack. NEVER, EVER, EVER, not in any time span that I (nor my
> machine) will live to see.
> I am NOT saying that a break in is impossible, only that it will have to
> come via some other vulnerability. Being distracted from the other
> vulnerabilities is then a serious problem.
> If I am worried about security, I should worry about other
> vulnerabilities. Because I have a good root password, fretting over
> moving sshd as a way to slow down a brute force attack is a distraction.
> It is like arguing over what color car gets better mileage (do more
> photons bounce off or get absorbed and do they impart momentum, slowing
> or speeding the car???). Different cars get different mileage and
> mileage certainly matters, but color doesn't make any real difference
> difference.

Disclaimer: I do not personally move my ssh ports, nor do I advocate the
practice.  I consider it security theater on par with confiscating
bottles of water at airports.  There is a rationale however, which has
been overlooked.

The theory is that attackers, as well as trying common username/password
combos (which really should not be mistaken for a brute force attack by
any stretch) are also keeping records of which hosts have which ports
open by which applications.  In theory, armed with this list, when an
exploit is uncovered (and exploits are always being uncovered) they have
a ready to go database of hosts that are likely to be vulnerable on zero

The drive by port scanning, however, is normally restricted to the
common service ports (22, 25, 80, etc.)  since probing all ports of
every IP takes too long to be as effective.  Therefore, moving your ssh
port, if ssh is your only open port, for example, will keep you off
these lists.

More information about the ubuntu-users mailing list