Re: SSH attacks?

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 29 Jul 2004, Pieter-Bas IJdens wrote:

> If you are so worried about SSH security who don't you just run sshd on
> a non-standard port.

        That practice affords no security benefit.  Any scanner worth its
salt (no pun...really) can identify a service even if it's running on a
non-standard port.  Nessus does this, as do a host of other scanners.

        For my own part, I set my firewall rulesets to default deny any IP
that is not specifically blessed for interactive login.  For example, I do
not have any users who live in Asia, Europe, Canada, South America or
Africa.  Thus, those netblocks are not allowed to connect on 22/TCP.
This helps limit the attack vectors while still allowing my users access
to the systems they require.

        For now, I think we need to spend a little more time getting to
the bottom of *why* we're seeing this uptick in scans.  Someone openly
postulated that a distro mirror may have been compromised and the
injection of a trojaned SSHd may be in play.  While I don't have any
evidence to support this, a number of the conditions we've seen of late
(same login ID from various IPs across the globe, for instance) does
support this possibility.  Now it's up to us to determine the source of
this trojan SSHd and put it out of our misery.

        Them's me thoughts.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `-------- I am the terror of my enemies. --------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFBCZiR6uxsHJ5aYG4RApYKAJ0ZP/8e9eb6W5qEWXGcjtdSOnCDJQCbBU0S
h1smeLNWPRkY9tKJbr/kvVY=
=GqPs
-----END PGP SIGNATURE-----