Thousands of ssh probes

Jason Garrett kingedgar at gmail.com
Mon Mar 8 17:56:09 UTC 2010 

On Sun, Mar 7, 2010 at 16:48, Erik Norgaard <norgaard at locolomo.org> wrote:

> On 07/03/10 21:41, dacoder wrote:
>
>  has anybody suggested having sshd listen on a high port?
>>
>
> Any number will do, think about it:
>
> a. The attacker doesn't really care which host is compromised any will do,
> and better yet someones home box as it is more difficult to trace him. In
> that case he will scan large ip-ranges for hosts listening on port 22.
>
> b. The attacker wants to gain control of a particular server. In that case
> he will scan all ports to see what services are running and determine which
> services are running on each port. In that case running ssh on a
> non-standard port is futile.
>
> However, I'm not really a fan of using non-standard ports for ssh, I don't
> believe it's the right solution to the problem: You have ssh access to the
> outside because people travel and need remote access. In that case they
> might find themselves under other security policies which block access to
> services deemed unnecessary. Running ssh on a non-standard port is likely to
> be blocked on the client network - unless you run on, say, port 80.
>
> The more uses you have, the more problems you will have running ssh on a
> non-standard port, the time you save checking your logs may easily be spent
> on end user support.
>
> OP referred to significant impact on bandwidth which I find difficult to
> believe. In case connections come from a single ip at a time then you should
> tweak LoginGraceTime, MaxAuthTries, MaxSessions to reduce the number of
> concurrent un-authenticate connections and slow down brute force attacks.
>
> Much better, restrict the client access to certain ranges of IPs. The
> different registries publish ip ranges assigned per country and you can
> create a list blocking countries you are certain not to visit, you can use
> my script:
>
>   http://www.locolomo.org/pub/src/toolbox/inet.pl
>
>
Great script! Just one question. Where do you put the list of denied ip
ranges?

>
> BR, Erik
>
> --
> Erik Nørgaard
> Ph: +34.666334818/+34.915211157                  http://www.locolomo.org
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list