openssh concerns

[Erik Cederstrand]

Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:

> I agree its not a bad thing to have sshd running on a non-standard  
> port,
> but just wait until the bot herder with 10,000 bots under his  
> control finds
> out what port your running it under...

It's like spam filtering: at the time this actually becomes a problem,  
we change tactics. It's not about finding the perfect solution, it's  
about having a manageable log. My log is being spammed, and changing  
the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to  
log into your nonexistent oracle account" is not a very interesting  
log message. Someone bruteforcing a valid non-trivial account name on  
a non-standard port is, even though they will never succeed.

> If your receiving 40,000 false logins a day, your either targeted, or
> extremely popular and probably shouldn't be running sshd that is  
> accessible
> via the internet anyways, aside from port knocking/VPN.

6 normal, very boring colo-servers here. 40.000 login attempts a day  
per server on port 22 sounds about right - that's still almost nothing  
translated to bandwidth. I use only key-based auth and the bots were  
still trying, som I'm pretty sure it's just someone trying to  
bruteforce every IP under the sun looking for low-hanging fruit. I  
still need ssh access for normal admin work so disabling ssh is not an  
option.

Erik