Re: targetted SSH bruteforce attacks

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Thursday, June 17, 2010 09:38:02 -0700 "Randal L. Schwartz" 
<merlyn () stonehenge com> wrote:

> > > > > > "Emmanuel" == Emmanuel VERCHERE <emmanuel.verchere () gmail com> writes:
>
> Emmanuel> SSH daemons using password auth exposed to the Internet _do_
> Emmanuel> get bruteforce attempts. I would not recommend moving it to a
> Emmanuel> different port than 22 as that would be of very, _very_ little
> Emmanuel> help - rather switch to public key auth (plus SPA if you're
> Emmanuel> paranoid), et voila.
>
> After being regularly nailed on my port 22, I *did* move it.  I've had
> only *one* attack since then, down by a factor of 20 or so.
>
> Yes, it's worth it to not be on port 22, as long as you're one of the
> few. :)  Remember, these bots are going for low-hanging fruit... it's
> not worth it for them to hit all 65k ports.
>
> Now, if we *all* move away from 22, your advice is more appropriate.

Of course if you do account provisioning correctly and configure your hosts 
securely, you're not exposed on port 22 either.  You just have to deal with the 
constant knocking at the door.  Some of us have simply learned to ignore it. 
It's just the background noise of the internet.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/