Re: targetted SSH bruteforce attacks

["Mr. MailingLists" <mailinglists () soul-dev com>]

Hello Gary/List!

On 6/17/2010 6:48 AM, Gary Baribault wrote:
> Hello list,
>
>     I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.

Since almost every angle of securing SSHD publicly have already been listed I will not
delve into that, so take my advice with a grain of salt.

In my environment, in order to access any of what I call trusted resources (such as ssh) I
require myself to have VPN connectivity. This eliminates the need of having SSHD listen
publicly, and as expected, eliminated all unknown hosts accessing my box via SSHD. It also
made my auth log much shorter and manageable as well :), but it is also more boring.

I'm guessing this wont work for your situation (seeing that you don't want to change the
public port either).

Otherwise, as said before:
Changing the port will absolutely reduce the number of hits, and concurrent attack attempts.

Use of port-knocking techniques will also achieve the above, and the use of PKA will
almost (almost, nothing is certain, hehe Debian) eliminate the chance of the opposition
recreating your private key.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/