Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 17 Jun 2010 15:19:18 -0500

--On Thursday, June 17, 2010 09:38:02 -0700 "Randal L. Schwartz" 
<merlyn () stonehenge com> wrote:

"Emmanuel" == Emmanuel VERCHERE <emmanuel.verchere () gmail com> writes:

Emmanuel> SSH daemons using password auth exposed to the Internet _do_
Emmanuel> get bruteforce attempts. I would not recommend moving it to a
Emmanuel> different port than 22 as that would be of very, _very_ little
Emmanuel> help - rather switch to public key auth (plus SPA if you're
Emmanuel> paranoid), et voila.

After being regularly nailed on my port 22, I *did* move it.  I've had
only *one* attack since then, down by a factor of 20 or so.

Yes, it's worth it to not be on port 22, as long as you're one of the
few. :)  Remember, these bots are going for low-hanging fruit... it's
not worth it for them to hit all 65k ports.

Now, if we *all* move away from 22, your advice is more appropriate.

Of course if you do account provisioning correctly and configure your hosts 
securely, you're not exposed on port 22 either.  You just have to deal with the 
constant knocking at the door.  Some of us have simply learned to ignore it. 
It's just the background noise of the internet.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]