SSH Password Gropers Are Now Trying High Ports 349
badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?
Re:Just lock em out... (Score:5, Insightful)
Re:Security by obscurity ... (Score:4, Insightful)
We are talking about banning ranges of IP addresses. Only the last leg of the journey matters. Saying the attackers aren't in China is a difference without distinction.
Re:Use random IPv6 from a /64 range (Score:4, Insightful)
Typically server hosting with ipv6 will assign a /64 range to each box.
Which would require you to switch to a hosting provider with IPv6 and move your own home or office to an area whose ISP offers IPv6.
When an attacker controls 10,000 IPs (Score:5, Insightful)
An attacker can only try logging in a few times a minute.
How does your system determine which IP addresses belong to a particular attacker's botnet?
Comment removed (Score:4, Insightful)
Re:Don't rely on security-though-obscurity (Score:5, Insightful)
You might as well expire those banned IP addresses after a day because 99.97% of them are compromised machines on dynamic connections. Having a file that size just wastes computing resources (having to check every single one) and slightly increases the chance you won't be able to log in from some random place one day.
Typical geek shit (Score:5, Insightful)
For some reason, geeks seem to think there is magic, perfect, computer security. "Just do THIS and your servers are secure, nobody can ever break in!" Those of us who've dealt with physical security understand there's NO SUCH THING. Good security is a layered approach. You never rely on one thing for security, you have layers so that when, not if, a layer fails you aren't automatically fucked, the other layers hopefully catch it.
While moving SSH to another port may not be a real big security improvement, security improvement don't have to be big to be useful, particularly if the cost is low, and in this case the cost is zero.
Also here's some news: It is 2013 and just now the bots seem to be adapting. That means that it was pretty effective. Seems to me SSH has been in use for, oh, getting close to 18 years now. That's not a bad amount of time for something to stop the bots.
The sooner geek admins start to understand that there is NO perfect security, ever, the sooner we'll start to have better computer security.
Re:Low Hanging Fruit (Score:4, Insightful)
Using a high port is one more thing you can do. To me, using it to filter out 90% of scanners is worth it even though it will still let through the 10% of people scanning high ports.
Exactly this.
Using a high port will not prevent a determined act of corporate espionage, but it probably will make J. Random Script-Kiddie move on.
Re:Low Hanging Fruit (Score:5, Insightful)
I'm saying that just because an obscurity measure is no substitute for a security measure doesn't mean it's not worth doing.
A sysadmin's time is valuable. A simple measure which eliminates 90% of the noise in a log is almost always worth doing, especially if it doesn't significantly inconvenience legitimate users.
Re:Low Hanging Fruit (Score:5, Insightful)
It's not security by obscurity, I really wish this meme would die, seeing as so many people are misapplying it. This is one thing that you can do to make it more expensive to try and crack your systems. It's not the only thing that you should be doing and calling one technique security by obscurity when you can easily figure out which port it is, really just conveys ignorance about what you're talking about.
Anything you can do that makes it inconvenient to try and crack your system is going to help a bit.
Re:Better than that... (Score:4, Insightful)
If I ever did this on any of my employer's servers I wouldn't expect to keep my job for much longer. Any countermeasure that cannot tell the difference between good and bad attempts is worthless. Imagine a room full of webdevs behind a NAT that use SCP to transfer files and then take a guess at the resulting productivity after your "solution" is implemented.