Forgot your password?
typodupeerror
Security IT BSD

SSH Password Gropers Are Now Trying High Ports 349

Posted by timothy
from the for-higher-love dept.
badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?
This discussion has been archived. No new comments can be posted.

SSH Password Gropers Are Now Trying High Ports

Comments Filter:
  • by msauve (701917) on Saturday February 16, 2013 @06:00PM (#42923985)
    If you lock out the account, and not the incoming host, then you simply provide a DoS mechanism to lock out legitimate users.
  • by Anonymous Coward on Saturday February 16, 2013 @06:02PM (#42924003)

    We are talking about banning ranges of IP addresses. Only the last leg of the journey matters. Saying the attackers aren't in China is a difference without distinction.

  • by tepples (727027) <{tepples} {at} {gmail.com}> on Saturday February 16, 2013 @06:10PM (#42924055) Homepage Journal

    Typically server hosting with ipv6 will assign a /64 range to each box.

    Which would require you to switch to a hosting provider with IPv6 and move your own home or office to an area whose ISP offers IPv6.

  • by tepples (727027) <{tepples} {at} {gmail.com}> on Saturday February 16, 2013 @06:19PM (#42924121) Homepage Journal

    An attacker can only try logging in a few times a minute.

    How does your system determine which IP addresses belong to a particular attacker's botnet?

  • Tarpit? (Score:4, Insightful)

    by benjfowler (239527) on Saturday February 16, 2013 @07:02PM (#42924341)

    Why doesn't somebody invent a tarpitting method, where you write something that'll listen on thousands of ports, completes a fake ssh handshake (slowly), rejects all authentication attempts, logs gropers to fail2ban; but then have your real SSH daemon on a higher port, using certificates only? For you, no problems; for them, like searching futilely for a needle in a haystack...

    Wastes the gropers' time, and burns their bots. Get enough people doing this, and it might send a message to the idiots doing it.

  • by AmiMoJo (196126) * <mojoNO@SPAMworld3.net> on Saturday February 16, 2013 @07:27PM (#42924469) Homepage

    You might as well expire those banned IP addresses after a day because 99.97% of them are compromised machines on dynamic connections. Having a file that size just wastes computing resources (having to check every single one) and slightly increases the chance you won't be able to log in from some random place one day.

  • Typical geek shit (Score:5, Insightful)

    by Sycraft-fu (314770) on Saturday February 16, 2013 @07:58PM (#42924679)

    For some reason, geeks seem to think there is magic, perfect, computer security. "Just do THIS and your servers are secure, nobody can ever break in!" Those of us who've dealt with physical security understand there's NO SUCH THING. Good security is a layered approach. You never rely on one thing for security, you have layers so that when, not if, a layer fails you aren't automatically fucked, the other layers hopefully catch it.

    While moving SSH to another port may not be a real big security improvement, security improvement don't have to be big to be useful, particularly if the cost is low, and in this case the cost is zero.

    Also here's some news: It is 2013 and just now the bots seem to be adapting. That means that it was pretty effective. Seems to me SSH has been in use for, oh, getting close to 18 years now. That's not a bad amount of time for something to stop the bots.

    The sooner geek admins start to understand that there is NO perfect security, ever, the sooner we'll start to have better computer security.

  • by Pseudonym (62607) on Saturday February 16, 2013 @08:10PM (#42924745)

    Using a high port is one more thing you can do. To me, using it to filter out 90% of scanners is worth it even though it will still let through the 10% of people scanning high ports.

    Exactly this.

    Using a high port will not prevent a determined act of corporate espionage, but it probably will make J. Random Script-Kiddie move on.

  • by Pseudonym (62607) on Saturday February 16, 2013 @08:30PM (#42924891)

    I'm saying that just because an obscurity measure is no substitute for a security measure doesn't mean it's not worth doing.

    A sysadmin's time is valuable. A simple measure which eliminates 90% of the noise in a log is almost always worth doing, especially if it doesn't significantly inconvenience legitimate users.

  • by hedwards (940851) on Saturday February 16, 2013 @09:28PM (#42925199)

    It's not security by obscurity, I really wish this meme would die, seeing as so many people are misapplying it. This is one thing that you can do to make it more expensive to try and crack your systems. It's not the only thing that you should be doing and calling one technique security by obscurity when you can easily figure out which port it is, really just conveys ignorance about what you're talking about.

    Anything you can do that makes it inconvenient to try and crack your system is going to help a bit.

  • by gmack (197796) <gmack@innerfir e . net> on Sunday February 17, 2013 @11:17AM (#42927839) Homepage Journal

    If I ever did this on any of my employer's servers I wouldn't expect to keep my job for much longer. Any countermeasure that cannot tell the difference between good and bad attempts is worthless. Imagine a room full of webdevs behind a NAT that use SCP to transfer files and then take a guess at the resulting productivity after your "solution" is implemented.

"There is no distinctly American criminal class except Congress." -- Mark Twain

Working...