[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

On Thu, Aug 21, 2008 at 7:58 AM, Michael Tautschnig <mt@debian.org> wrote:
>> Third use a non standart ssh port (for example 2222) apt-get install fail2ban
> I'm not a huge fan of security by obscurity, so I'd rather stick with 22 for
> now.
"Security by obscurity" is a perfectly valid _FACET_ of system
security.  By no means should it be your ONLY defense, but switching
off a standard port will dramatically reduce the number of attacks.
Unless someone is specifically targeting your box, you WILL get
portscanned on all the standards and if anything interesting is found,
you WILL get dictionary attacked.  I had to switch to a standard port
to connect from work and within 4 days, was getting dictionary
attacked from China and East Europe.  Upon switching back, the attacks
stopped completely.

Your security should be multi-layered consisting of:
* STRONG passwords (and/or SSH keys!)
* frequent updates
* monitoring (logging, IDS, fail2ban)
* firewalling (I prefer AllowHosts over DenyHosts.  WAY more restrictive.)
* encryption.  use SSL when possible, tunnel through SSH
* obscurity.  don't report services OR version numbers and run
non-standards when possible.

If you need more security than this, you should probably unplug your ethernet.

Seriously, unless  you absolutely MUST run on port 22, I would
recommend HIGHLY against it.  If someone is attacking you
specifically, obscurity won't help, but against this massive,
distributed, automated attacks, its practically the silver bullet.

Good luck,

Reply to: