Shinobi59
You have a valid point, but if your a traveling joe whom uses coffee shop / internet cafe machines key exchange is pointless because your locked out. In that case you would have a laptop, but if your a student that uses one of many mchines in the college library to access your shell account via putty you are definately screwed. Security is only as strong as the weakest link, define your needs and compromise.
Sincerely,

Wanker
Stephnet's Administrator

Yes -Stephnet is correct and to follow up on the logic for the services port change - the worm is checking for ssh logins on the default port 22. When it find a computer running ssh it uses a dictionary attack on uid's at the login prompt. If ssh is not running on port 22 then the worm never even gets a login prompt and the worm is useless. At this point all you have to worry about is an individual taking the time to manually attack you.

Ok.

Understand the point of changing the standard port for SSH as a mitigation for Worm attacks.

How would connecting from a coffee shop or Internet cafe prevent an asymmetric key exchange?

I've never actually used a connection from either of these?

I was refering to the file /etc/services.... why would I go for changing the pair service port<->service name defined in the file to the new port? I miss the benefit here

and as a "BTW" included the command above for Redhat, no question here.

BTW: Stephnet use edit when posting after posting?!

Ok, I do use edit when editing the post that I just posted. Unfortunately, when you edit your post, it sends out a new email as well. I have noticed that I receive two emails on the post, one is the original and the other the edited version. Sorry, if you receive two emails on my posts.
Thanks again,
Wanker

RE: I was refering to the file /etc/services.... why would I go for changing the pair service port<->service name defined in the file to the new port? I miss the benefit here

Hrm, so what your asking is why change the port that sshd listens on when all you have to do is forward whatever port to port 22 on your shell server?

OK: First off, I do stuff the hard way. At least that's what everyone says, heh. Here is an excerp from my firewall script.
$IPTABLES -A INPUT -i $INTIF -d $INTIP -p tcp --dport 52320 -j ACCEPT
Then the Nat Table
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 52320 -j DNAT --to-destination $SHELLSERVER
Also, here's an excerp from sshd_config.

CheckHostIP yes
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 52320
Protocol 2

--------------------------------

First off, it doesn't matter how you do it like in mathematics for example ( Problem = (10 - 5) = 5 ) Below is how I would have worked this out.
Solution = (start at 5 and count up to 10) = 5 The answer came from addition for a subtraction problem, so to speak.

Just as long as you get the job done, it doesn't matter how you do work it out, As Long As It's RIGHT in the end

Here's My Reason for doing it this way.
1. Takes less time to do.
2. I really don't care how it's done, the end result is still the same.
3. Unless you are in love with port 22, you can change it. (It can be done)
4. All I had to do was change port numbers in both files (sshd_config and iptables script)
5. No writing a line or two extra in the iptables script, just changed port numbers in the already exsisting file.

The DOWNSIDE:
when you ssh into whatever server it will be on whatever port you set it to, like this would be me.
ssh username@my-server.my-domain -p 52320 ( poof! Login)
It's that simple, but I do run a terminal launcher with those configs already set, I click the icon and get a prompt.

Now: if you are a true linux geek that bounces from one machine to the next via terminal ( reading logs, ect.. whatever)
then this may not be an option for you, but if you want simplicity it's all in how you setup X and your desktop preferences.

BTW: I'm not saying you have to use this option ( /me doesn't take any responsibility for anyone's actions but his own )
Yes, I'm a irc geek with the /me reference

No, my question was why after changing the port in /etc/ssh/sshd_config, I should change the port in /etc/services also? (as someone suggested above as necessary)

no, you don't need to do that...

Johnny,
I surely do apologize for the misunderstanding on my part.
I agree with Win32SUX "major ballz", there is no reason you should need to do that. Changing sshd_config is all you have to do, it just works. Now maybe it was a recommendation for logging purposes, but even that no reason because you have auth.log that tells you the login information and the attemps. I'm unclear on why someone recommended this to you?
When in doubt, read the man pages. "man services"
Sincerely,
Wanker

I know denying root login over ssh is needed, but since you can still SU to root after gaining entry with an ordinary user, isn't that just as bad? Or does it simply stop some automated scripts from getting in?

The reason disabling root logins is recommended is to make bruteforce attempts *significantly* more complex. Normally to gain access you'd need to guess both a username *and* its corresponding password. If root is allowed to login remotely, then an attacker already knows 1/2 of the equation required to access the most powerfull account on the system and can just hammer-away with password guesses.

Here is My sshd_config

Port xxxxx

AddressFamily inet

Protocol 2

# http://blog.thomas-falkner.de/2007/09/25/ssh-absichern/

PubKeyAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys

#PasswordAuthentication no
#UsePAM no
PasswordAuthentication yes

PermitRootLogin no

DenyUsers root admin guest test user info bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody apache www wwwrun httpd irc "plus normal users"

AllowUsers someuser
# Only Number Adress works
# someuser@213.244.239.57 someuser@192.168.1.35

DenyGroups root daemon sys adm disk floppy dialout tape video bin lp mem kmem tty floppy mail news uucp man games slocate utmp smmsp mysql
rpc sshd shadow ftp nogroup console xcdwriter

AllowGroups somegroup
# users wheel

LoginGraceTime 2m
StrictModes yes
MaxAuthTries 6

# http://gentoo-wiki.com/TIP_SSH_Reverse_Tunnel

TCPKeepAlive no
ClientAliveInterval 30
ClientAliveCountMax 99999

/etc/hosts.denny
#ALL: ALL
#ALL: ALL EXCEPT KNOWN
#sshd: ALL
#sshd: ALL EXCEPT KNOWN
sshd: UNKNOWN

ALL: 207.158.0.0/18 : deny

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com

# DenyHosts: Sun Jul 13 00:38:06 2008 | ALL: 11-37.76-83.cust.bluewin.ch
ALL: 11-37.76-83.cust.bluewin.ch
# DenyHosts: Sun Jul 13 00:38:06 2008 | ALL: 185-25.77-83.cust.bluewin.ch
ALL: 185-25.77-83.cust.bluewin.ch

A Script for failed login

ssh-attack
#!/bin/sh
grep "Failed" /var/log/auth.log
#grep "Failed" /var/log/auth.log | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c


someuser is not normal User, only a virtual User in wheel Group for root login.


Secure someuser Folder
chmod 0700 ~
chmod 0700 ~/.ssh

cd ~/.ssh
ls -l

-rw------- 1 someuser somegroup 1807 2008-06-07 23:16 authorized_keys
-rw------- 1 someuser somegroup 1807 2008-06-07 23:16 authorized_keys-00
-rw------- 1 someuser somegroup 744 2008-05-05 12:09 id_dsa
-rw-r--r-- 1 someuser somegroup 604 2008-05-05 12:09 id_dsa.pub
-rw-r--r-- 1 someuser somegroup 1892 2008-07-13 00:36 known_hosts

I don't have any attack.

Regards Smartnow

johnnydangerous - the reason is that the /etc/services file maps a port to a service name to ease the strain of excessive numbers on the poor human mind. You will find that often in logs an application will reference the /etc/service name for the port instead of the actual port. This is done to make things more readable for human beings. Firewall apps, routers and such often reference the service port by it's name rather then the port - so it will say "ssh" instead of 22 or "http" instead of 80. It cuts down on errors. Yes it's certainly not necessary to modify this file but it is in good keeping with the design of your nix OS and many other apps.

Hope this answers your question.

mossy

Smartnow - this tread was from '06 so not even sure if the worm is around anymore. However I will say that If it's died -- there will most likely be other similar worms in the future. It's still a good practice to run secure services on non standard ports IF they are externally facing. It stops simple script attacks (and probably some manual attacks) with minimal effort.


mossy

I think this thread was made into a sticky thread because of the amount of questions people had regarding blocking such activity. If you look at the date of the first post and the date of the last (even factoring out Smartnow's post), you'll see that there's a very broad timespan of posts. It doesn't mean the thread is dead, though.

Also, there has never really been an SSH-based worm, so I don't know what you're referring to.

[EDIT - I just noticed that this isn't the actual sticky thread...my bad]