Re: significant incoming SSH volume

["Edgmand, Craig" <craig.edgmand () OKSTATE EDU>]

Justin,

    We are not currently seeing large increases in SSH traffic.

    We do not allow SSH connections from the Internet directly into the datacenter, you either must VPN first or ssh to 
another host on campus.

    We also block multiple SSH attempts via our IPS devices.

    On the server side you could use IPtables or TCPwrappers to block access.

Craig Edgmand
Lead Security Engineer
Oklahoma State University.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Sipher
Sent: Tuesday, March 16, 2010 3:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] significant incoming SSH volume

Hello all.  We have seen a drastic uptick in recent days for inbound SSH connections to many of our servers.  These 
connection are attempting to connect to our servers as ROOT and are coming from IP addressed appearing to be mostly 
overseas.  They number in the thousands of connections.  While we are confident in the strength of our passwords, as 
you know with enough effort.......

My questions to this group are:


 *   Is anyone else seeing this?


 *   Are you doing anything to address this?  We are contemplating blocking SSH inbound on our firewall and requiring 
any external SSH connection to first connect to our VPN.  In some ways it seems excessive and maybe even unsustainable. 
 On the other hand, protecting our servers is important as you well know.

Any advice, feedback, or suggestion of best practice is welcome.

Best & thanks!
...Justin
________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu<mailto:jsipher () skidmore edu>
  518-580-5909