Re: Customer-facing ACLs

[Mark Foster <blakjak () blakjak net>]

On Sat, 8 Mar 2008, Dave Pooser wrote:

> > Port 22 outbound? And 23?  Telnet and SSH _outbound_ cause that much of a
> > concern? I can only assume it's to stop clients exploited boxen being used
> > to anonymise further telnet/ssh attempts - but have to admit this
> > discussion is the first i've heard of it being done 'en masse'.
>
> On one test machine that I leave SSH unfirewalled on, I'll see 200-4000 SSH
> login attempts per day, trying to brute force it. Lets see, this morning in
> an eight-minute span from one IP in Aruba 100 attempts for root; other
> usernames attempted include admin, staff, sales, office, alias, stud (!),
> trash, guest, test, oracle, a few personal names, apache, svn, iraf, swsoft,
> gast, sirsi and nagios. And this is a relatively slow day.
>
> Telnet I wouldn't know about, but I'm told bots will try to force it as
> well.


Oh, there's plenty of names in one of my server logs too... looks almost 
like they've gone through a name-choosing handbook.

I can understand the logic of dropping the port, but theres some 
additional thought involved when looking at Port 22 - maybe i'm not 
well-read enough, but the bots I've seen that are doing SSH scans, etc, 
are not usually on Windows systems. I can figure them working on Linux, 
MacOS systems - but surely the vast majority of 'vulnerable' hosts are 
those running OS's coming from our favourite megacorp?  Which typically 
don't come shipped with neither SSH server nor SSH client... ?

To me, at least half the users likely to be running either Linux or Mac 
are going to be the same users who're going to request they be allowed 
outbound SSH.... is the blocking of outbound SSH considered to be 
sufficiently useful that we're advocating it these days?

(Aren't we all just moving SSH to non-standard ports within our 
networks anyway?)

... Mark.