LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2009, 01:34 PM   #16
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158

That won't work with a targeted attack, as anyone can probe an open port to determine what's actually running on the other end (a simple telnet to port xxx will show an SSH banner, no matter the port), but I get what you're saying.

I donate my logs to security sites (sans.org/dshield.org), so I'd prefer to log and block such activity. I think its prudent to watch such activity, even though its being dropped. I compared my SSH logs with my FW and Denyhosts logs and found that some things weren't being blocked by Denyhosts. The FW would let the traffic in and SSH would deny it while Denyhosts wouldn't block. This is why layering security is good. When 2 of 3 layers don't work, that last layer is the very last defense. The distributed attacks didn't affect me but it was a definitely smart thing to do (if you're a hacker) to dodge thresholded blocking. It pays to understand what's in your logs and how to mitigate or remedy security issues. Historical log trending can ferret out less obvious security issues that may or may not affect the masses...better to understand now than be blind-sided.
 
Old 01-22-2009, 03:30 PM   #17
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.

I don't log port 22 at the firewall, but I do monitor everything in and out by other means. I've never seen any attempt to crack secure shell.

God forbid one of them discovers grep...
 
Old 01-23-2009, 10:52 AM   #18
/dev/me
Member
 
Registered: May 2008
Distribution: Slackware 13
Posts: 116

Original Poster
Rep: Reputation: 20
Hey thanks for the links, yes that seems quite similar. Distributed brute force.... nasty business


Quote:
Originally Posted by catworld
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.
Indeed I think running ssh on a non-standard port is one of the best pseudo-security measures you can take. I've not had a single attack on my real ssh port ever since I took that step, now almost a year ago. It's not like real security obviously, because a human that knows what (s)he's doing can easily avoid it. But with all the kiddies never even reaching the logs, this attack will stand out like a beacon.



Quote:
Originally Posted by catworld
God forbid one of them discovers grep...
Aw! Do you think it's time to start negotiating terms of surrender?? If teh Üb3r proCr@xXx0rz read the grep man page, we might as well give up.
 
Old 01-23-2009, 12:24 PM   #19
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by catworld View Post
I've never seen any attempt to crack secure shell.
What's your public IP? LOL...j/k!
 
Old 01-23-2009, 12:42 PM   #20
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36


It's bad enough Yahoo groups lost my email address to the spammers...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
printing pattern match and not whole line that matches pattern Avatar33 Programming 13 05-06-2009 06:17 AM
replace a text pattern with the reverse of another text pattern lothario Linux - Software 5 07-25-2008 02:43 PM
XML Pattern Ellops Programming 0 04-18-2006 10:59 AM
strange, strange alsa problem: sound is grainy/pixellated? fenderman11111 Linux - Software 1 11-01-2004 05:16 PM
Sound Issues with XMMS/ mpg123 strange (strange noises) thegreatbob Linux - Software 0 06-25-2004 03:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration