Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
That won't work with a targeted attack, as anyone can probe an open port to determine what's actually running on the other end (a simple telnet to port xxx will show an SSH banner, no matter the port), but I get what you're saying.
I donate my logs to security sites (sans.org/dshield.org), so I'd prefer to log and block such activity. I think its prudent to watch such activity, even though its being dropped. I compared my SSH logs with my FW and Denyhosts logs and found that some things weren't being blocked by Denyhosts. The FW would let the traffic in and SSH would deny it while Denyhosts wouldn't block. This is why layering security is good. When 2 of 3 layers don't work, that last layer is the very last defense. The distributed attacks didn't affect me but it was a definitely smart thing to do (if you're a hacker) to dodge thresholded blocking. It pays to understand what's in your logs and how to mitigate or remedy security issues. Historical log trending can ferret out less obvious security issues that may or may not affect the masses...better to understand now than be blind-sided.
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.
I don't log port 22 at the firewall, but I do monitor everything in and out by other means. I've never seen any attempt to crack secure shell.
Hey thanks for the links, yes that seems quite similar. Distributed brute force.... nasty business
Quote:
Originally Posted by catworld
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.
Indeed I think running ssh on a non-standard port is one of the best pseudo-security measures you can take. I've not had a single attack on my real ssh port ever since I took that step, now almost a year ago. It's not like real security obviously, because a human that knows what (s)he's doing can easily avoid it. But with all the kiddies never even reaching the logs, this attack will stand out like a beacon.
Quote:
Originally Posted by catworld
God forbid one of them discovers grep...
Aw! Do you think it's time to start negotiating terms of surrender?? If teh Üb3r proCr@xXx0rz read the grep man page, we might as well give up.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.