SSH hacked?

Rashkae ubuntu at
Wed Jan 14 16:35:28 UTC 2009

Knapp wrote:
> On Wed, Jan 14, 2009 at 5:20 PM, Rashkae <ubuntu at> wrote:
>> Kent Borg wrote:
>>> NoOp wrote:
>>>> why don't you try as I suggested? Put a machine w/ssh on an open
>>>> DSL/Cable modem and watch your logs for a few days?
>>> I don't need to put up such a test, I already have such a thing.
>>> Checking the log file is quite easy...
>>> [check, check. check]
>>> As always, there have been break in attempts. These attempts came from
>>> different IP addresses, and you suggested I will attract attacks like
>>> flies to honey--but for the moment let's assume you are wrong on that
>>> point and assume that these attacks are really just a single coordinated
>>> attacker.
>>> Some of the attacks are against randomly chosen user names, but most are
>>> against root and that matters most, so let's look at the root attacks:
>>> Based on the number of attempts in this sample and the entropy in my
>>> root password, at minimum it will take over 2,500 years for a single
>>> coordinated attacker to have a 50-50 chance of getting in. Further, if
>>> the attacker doesn't know the format ("recipe") of my root password, the
>>> effective entropy soars to a much higher figure--to estimate
>>> conservatively it would take many octillion years of attempts to get to
>>> the 50-50 point.
>>> Conclusion: No attacker is going to get root on this machine via a brute
>>> force attack. NEVER, EVER, EVER, not in any time span that I (nor my
>>> machine) will live to see.
>>> I am NOT saying that a break in is impossible, only that it will have to
>>> come via some other vulnerability. Being distracted from the other
>>> vulnerabilities is then a serious problem.
>>> If I am worried about security, I should worry about other
>>> vulnerabilities. Because I have a good root password, fretting over
>>> moving sshd as a way to slow down a brute force attack is a distraction.
>>> It is like arguing over what color car gets better mileage (do more
>>> photons bounce off or get absorbed and do they impart momentum, slowing
>>> or speeding the car???). Different cars get different mileage and
>>> mileage certainly matters, but color doesn't make any real difference
>>> difference.
>> Disclaimer: I do not personally move my ssh ports, nor do I advocate the
>> practice.  I consider it security theater on par with confiscating
>> bottles of water at airports.  There is a rationale however, which has
>> been overlooked.
>> The theory is that attackers, as well as trying common username/password
>> combos (which really should not be mistaken for a brute force attack by
>> any stretch) are also keeping records of which hosts have which ports
>> open by which applications.  In theory, armed with this list, when an
>> exploit is uncovered (and exploits are always being uncovered) they have
>> a ready to go database of hosts that are likely to be vulnerable on zero
>> day.
>> The drive by port scanning, however, is normally restricted to the
>> common service ports (22, 25, 80, etc.)  since probing all ports of
>> every IP takes too long to be as effective.  Therefore, moving your ssh
>> port, if ssh is your only open port, for example, will keep you off
>> these lists.
> So how long does it take to scan all the ports? Then lets say you have 100
> zombies to do it for you at the same time? What are we looking at to get
> 10,000 non 22 port ssh(s)?

A very very long time if you hit lots of 'stealthed' firewalls and each
of those 100 zombies overloads their stack waiting hundreds of thousands
of reply packets that never come.  Zombies get better return on
investment selling Viagra

More information about the ubuntu-users mailing list