What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
Ken
On 20 February 2014 17:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
+1, and for the same reason. It's not security by obscurity, because our security doesn't depend on the port. It's operational sanity :)
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
I suggest 2044, for no better reason than that's where I last moved my sshd to :).
frank
I just auto blacklist drive-by’s. Lemme dig in my server…
# # Rate limit ssh connections # /sbin/iptables -N LOGDROP /sbin/iptables -A LOGDROP -j LOG /sbin/iptables -A LOGDROP -j DROP iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j LOGDROP
On 20Feb, 2014, at 12:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
Ken
On 20.02.2014, at 18:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Please just install fail2ban I am using this for years and it is indispensable. It analyzes the ssh fail logs and auto-bans offending ip's for 10 minutes this is typically enough to stop script kiddies from trying further.
Best -Tobias
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
Ken
On Thu, 20 Feb 2014, Tobias Pape wrote:
On 20.02.2014, at 18:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Please just install fail2ban I am using this for years and it is indispensable. It analyzes the ssh fail logs and auto-bans offending ip's for 10 minutes this is typically enough to stop script kiddies from trying further.
It doesn't get rid of the noise from the logs.
Levente
Best -Tobias
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
Ken
On 20.02.2014, at 18:36, Levente Uzonyi leves@elte.hu wrote:
On Thu, 20 Feb 2014, Tobias Pape wrote:
On 20.02.2014, at 18:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Please just install fail2ban I am using this for years and it is indispensable. It analyzes the ssh fail logs and auto-bans offending ip's for 10 minutes this is typically enough to stop script kiddies from trying further.
It doesn't get rid of the noise from the logs.
It minimizes noise. Which box are we speaking of?
Best -Tobias
On 02/20/2014 11:36 AM, Levente Uzonyi wrote:
On Thu, 20 Feb 2014, Tobias Pape wrote:
On 20.02.2014, at 18:12, Ken Causey ken@kencausey.com wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Please just install fail2ban I am using this for years and it is indispensable. It analyzes the ssh fail logs and auto-bans offending ip's for 10 minutes this is typically enough to stop script kiddies from trying further.
It doesn't get rid of the noise from the logs.
Levente
I'm not too worried about the noise issue, I just ignore it right now anyway. I haven't looked at it yet but I've put fail2ban as well as Cees' suggestion on my list to consider.
Ken
On Thu, 20 Feb 2014, Ken Causey wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
What's the point of using a low port number? We always use a random high port for non-public services.
Levente
Ken
On 02/20/2014 11:33 AM, Levente Uzonyi wrote:
On Thu, 20 Feb 2014, Ken Causey wrote:
What does the group think of changing the port that sshd listens on for connections? Yes, I know this is a sort of security by obscurity and is entirely pointless if you are being targeted. But we aren't being targeted yet the net is just full of drive-by connection attempts these days.
On a server I administer for a customer I used to get log reports of hundreds and even thousands of the attempted ssh connections each and every day. I got tired of the noise and moved sshd to another port. It has been years now and there has not been a single ssh connection attempt from anyone other than me since I made the change.
Now I'm not saying this is any serious problem. And I don't get these sorts of log reports on the Squeak servers currently, so this is not addressing any noise I'm dealing with. But I'm sure all of the Squeak servers are being hit with connection attempts constantly, probably more than the other server I deal with since it is in no way public. At some point there is a tiny possibility that one of the connection attempts will properly guess both a username and a password (and shame on that person for using such a simple password if it happens :) ), sort of the million monkey theory.
Anyway this is something I've considered but of course it would affect everyone who sshs to the servers and so I can't just make such a change unilaterally.
If you are in favor of this change suggest a number that might be relevant to Squeakers and easy to remember, preferably <= 1024, if you can think of one.
What's the point of using a low port number? We always use a random high port for non-public services.
Any user can start sshd on a port above 1024, this makes it possible for an attacker who has gained access to spoof sshd. I have used ports higher than 1024 before and currently, but it is better to use a port only superuser can listen on.
Ken
Levente
Ken
box-admins@lists.squeakfoundation.org