Dark reading article on the proper port of SSH daemon.

Jose R R jose.r.r at metztli.com
Tue Dec 9 05:31:11 UTC 2008 

"In honor of this phenomenon, I now keep a text file of the ports I
find an SSH daemon running on, and the explanation offered by the
administrator of how this change improves security. I won't list the
explanations here, but here's the gist of their justifications:
attackers will not bother launching a scan against the entire port
range of a box, and a scanning tool is not advanced enough to grab
service banners. Admins generally provide me with these explanations
during a post assessment wrap-up meeting, and they are typically
surprised that their SSH daemon running on port 65022 is listed in the
report at all. It's almost like pointing out a trap door or a mirror
in a magic act."

Hiding In Plain Sight Doesn't Work:
< http://www.darkreading.com/blog/archives/2008/12/hiding_in_plain.html?cid=RSSfeed_DR_ALL?cid=nl_DR_WEEKLY_T
>

After reading the above article, well ...ahem, I decided to bring back
the SSH daemon to its original default port on some accounts and
implemented a banner advising the would be perpetrators that their IP
would be logged.  Notwithstanding, there where those who did not care
(some, like the example below, understandably since their IP is
dynamic).  Notwithstanding, those who dared try their luck were locked
out by fail2ban on their fifth try.  After observing their reverse
mapping attempts (as below) I reduced SSH login attempts to three.

I am also looking for insight/recommendations on an utility to stop
scraping/resource probing like abuses, where an given perpetrator will
start at the root of the web resources and continue for several
minutes traversing the whole site(s).

Dec  8 04:51:23 my-client-host sshd[8282]: Invalid user test from 85.94.59.251

Dec  8 04:51:23 my-client-host sshd[8282]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec  8 04:51:32 my-client-host sshd[8284]: Invalid user guest from 85.94.59.251

Dec  8 04:51:32 my-client-host sshd[8284]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec  8 04:51:36 my-client-host sshd[8286]: Invalid user admin from 85.94.59.251

Dec  8 04:51:36 my-client-host sshd[8286]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec  8 04:51:41 my-client-host sshd[8288]: Invalid user admin from
85.94.59.251

Dec  8 04:51:41 my-client-host sshd[8288]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

Dec  8 04:51:51 my-client-host sshd[8290]: Invalid user user from 85.94.59.251

Dec  8 04:51:51 my-client-host sshd[8290]: reverse mapping checking
getaddrinfo for 85.94.59.251.adsl.sta.mcn.ru failed - POSSIBLE
BREAK-IN ATTEMPT!

-- 
Jose R R
http://www.metztli-it.com

More information about the redhat-list mailing list