Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security IT BSD

SSH Password Gropers Are Now Trying High Ports 349

Posted by timothy from the for-higher-love dept.
badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?
This discussion has been archived. No new comments can be posted.

SSH Password Gropers Are Now Trying High Ports More

SSH Password Gropers Are Now Trying High Ports

Comments Filter:

  • Re:Just lock em out... (Score:5, Insightful)

    by msauve ( 701917 ) on Saturday February 16, 2013 @06:00PM (#42923985)
    If you lock out the account, and not the incoming host, then you simply provide a DoS mechanism to lock out legitimate users.

  • Re:Security by obscurity ... (Score:4, Insightful)

    by Anonymous Coward on Saturday February 16, 2013 @06:02PM (#42924003)

    We are talking about banning ranges of IP addresses. Only the last leg of the journey matters. Saying the attackers aren't in China is a difference without distinction.

  • Re:Use random IPv6 from a /64 range (Score:4, Insightful)

    by tepples ( 727027 ) <tepples.gmail@com> on Saturday February 16, 2013 @06:10PM (#42924055) Homepage Journal

    Typically server hosting with ipv6 will assign a /64 range to each box.

    Which would require you to switch to a hosting provider with IPv6 and move your own home or office to an area whose ISP offers IPv6.

  • When an attacker controls 10,000 IPs (Score:5, Insightful)

    by tepples ( 727027 ) <tepples.gmail@com> on Saturday February 16, 2013 @06:19PM (#42924121) Homepage Journal

    An attacker can only try logging in a few times a minute.

    How does your system determine which IP addresses belong to a particular attacker's botnet?

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Saturday February 16, 2013 @07:02PM (#42924341)
    Comment removed based on user account deletion

  • Re:Don't rely on security-though-obscurity (Score:5, Insightful)

    by AmiMoJo ( 196126 ) * on Saturday February 16, 2013 @07:27PM (#42924469) Homepage Journal

    You might as well expire those banned IP addresses after a day because 99.97% of them are compromised machines on dynamic connections. Having a file that size just wastes computing resources (having to check every single one) and slightly increases the chance you won't be able to log in from some random place one day.

  • Typical geek shit (Score:5, Insightful)

    by Sycraft-fu ( 314770 ) on Saturday February 16, 2013 @07:58PM (#42924679)

    For some reason, geeks seem to think there is magic, perfect, computer security. "Just do THIS and your servers are secure, nobody can ever break in!" Those of us who've dealt with physical security understand there's NO SUCH THING. Good security is a layered approach. You never rely on one thing for security, you have layers so that when, not if, a layer fails you aren't automatically fucked, the other layers hopefully catch it.

    While moving SSH to another port may not be a real big security improvement, security improvement don't have to be big to be useful, particularly if the cost is low, and in this case the cost is zero.

    Also here's some news: It is 2013 and just now the bots seem to be adapting. That means that it was pretty effective. Seems to me SSH has been in use for, oh, getting close to 18 years now. That's not a bad amount of time for something to stop the bots.

    The sooner geek admins start to understand that there is NO perfect security, ever, the sooner we'll start to have better computer security.

  • Re:Low Hanging Fruit (Score:4, Insightful)

    by Pseudonym ( 62607 ) on Saturday February 16, 2013 @08:10PM (#42924745)

    Using a high port is one more thing you can do. To me, using it to filter out 90% of scanners is worth it even though it will still let through the 10% of people scanning high ports.

    Exactly this.

    Using a high port will not prevent a determined act of corporate espionage, but it probably will make J. Random Script-Kiddie move on.

  • Re:Low Hanging Fruit (Score:5, Insightful)

    by Pseudonym ( 62607 ) on Saturday February 16, 2013 @08:30PM (#42924891)

    I'm saying that just because an obscurity measure is no substitute for a security measure doesn't mean it's not worth doing.

    A sysadmin's time is valuable. A simple measure which eliminates 90% of the noise in a log is almost always worth doing, especially if it doesn't significantly inconvenience legitimate users.

  • Re:Low Hanging Fruit (Score:5, Insightful)

    by hedwards ( 940851 ) on Saturday February 16, 2013 @09:28PM (#42925199)

    It's not security by obscurity, I really wish this meme would die, seeing as so many people are misapplying it. This is one thing that you can do to make it more expensive to try and crack your systems. It's not the only thing that you should be doing and calling one technique security by obscurity when you can easily figure out which port it is, really just conveys ignorance about what you're talking about.

    Anything you can do that makes it inconvenient to try and crack your system is going to help a bit.

  • Re:Better than that... (Score:4, Insightful)

    by gmack ( 197796 ) <gmack@noSpAM.innerfire.net> on Sunday February 17, 2013 @11:17AM (#42927839) Homepage Journal

    If I ever did this on any of my employer's servers I wouldn't expect to keep my job for much longer. Any countermeasure that cannot tell the difference between good and bad attempts is worthless. Imagine a room full of webdevs behind a NAT that use SCP to transfer files and then take a guess at the resulting productivity after your "solution" is implemented.

Slashdot Top Deals

I've noticed several design suggestions in your code.

Close