Re: Idea to secure ssh
On Wednesday 15 March 2006 11:06, Goswin von Brederlow wrote:
> He trying to solve that a tcp connect to port 22 establishes a
> connection and thereby reveals that the server is running an sshd and
> attcking it makes sense.
>
> His idea is to add a 100% non responsive knocking (using udp) before
> the actual ssh handshake so unauthorized clients can't even determine
> that sshd is running. Not that I find that usefull but thats the idea.
Thank you! You stated it in simple terms that escaped me.
If the only brute-force attempts come from a single address, then simpler
methods of detecting and blocking such attempts may be adequate. If one is
quite satisfied leaving the barn door wide open while having an obviously
secure lock on the door of the stall holding his prized thoroughbred, then no
extra security is needed. For me, putting an obvious, very visible lock on
the stall door is not sufficient; I'd like to obscure all of the stall doors
so that the good locks aren't obvious, and secure the barn itself. I wouldn't
put up flags and banners crying out to all passers-by that I may have
something valuable inside. I want thieves to think, "There's nothing here
worth stealing; I'll keep going to the next place" while they are still on
road passing by.
Considering that many miscreants have 'armies' of cracked Windows computers
they control remotely, many concerted attacks won't necessarily come from one
IP or one network. Concerted spam attacks don't come from a single source.
DDOS attacks don't come from a single source. If shooing the intruder away
after he's been picking away at your system for a while is good enough for
you, then good. You don't need anything else. But I think there are plenty of
others who, like me, don't want to give miscreants any reason to stop and
pick away at all. We want them to stay on the road and pass right by. And we
want to be ready for them if they do happen to stop.
Neal
Reply to: