DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th February 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default There's No Protection In High Ports Anymore, Son. If Indeed There Ever Was.

In http://bsdly.blogspot.ca/2013/02/the...igh-ports.html Peter Hansteen reports about ssh probes on other ports than the standard port 22.

There is also a discussion at slashdot
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 17th February 2013
asemisldkfj's Avatar
asemisldkfj asemisldkfj is offline
Fdisk Soldier
 
Join Date: Aug 2008
Posts: 50
Thanked 1 Time in 1 Post
Default

Non-standard SSH ports have always been a poor security measure and more of a pain in dealing with client configuration than they're worth. Public key auth FTW! PasswordAuthentication No is always one of the first edits I make to sshd_config.
__________________
chat.taucher.net #bsd
Reply With Quote
  #3   (View Single Post)  
Old 18th February 2013
Ninguem Ninguem is offline
Shell Scout
 
Join Date: Jun 2011
Posts: 136
Thanked 0 Times in 0 Posts
Default

1. Using the standard port of 22 is asking for trouble. Whenever I enable ssh, the port number for logging into will constantly be changed.
2. The password will constantly be changed.

Paranoia is good.
__________________
No signature
Reply With Quote
  #4   (View Single Post)  
Old 18th February 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Ninguem,

This is "security through obscurity" and only provides a false sense of security. And best practice is to replace passwords with a better authentication system, such as PKA with passphrases

Last edited by jggimi; 18th February 2013 at 10:30 AM. Reason: typos.
Reply With Quote
  #5   (View Single Post)  
Old 18th February 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

On the Freebsd server I administer, I moved ssh to another port, only to get rid of those annoying messages in the log file.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 19th February 2013
asemisldkfj's Avatar
asemisldkfj asemisldkfj is offline
Fdisk Soldier
 
Join Date: Aug 2008
Posts: 50
Thanked 1 Time in 1 Post
Default

Luckily I use SSH on such a small network that the authlog messages aren't too annoying, but FWIW it's fairly easy with pf to block traffic from hosts that complete too many TCP handshakes on port 22 in too short a window of time.

With these lines in pf.conf, if a host connects over port 22 more than three times in ten seconds they're added to the brutes table and any existing states involving that host are removed:

Code:
table <brutes> persist
block quick from <brutes>
pass in on egress inet proto tcp from any to (egress) port 22 keep state (max-src-conn-rate 3/10, overload <brutes> flush global)
Edit: relevant section of pf.conf man page
__________________
chat.taucher.net #bsd

Last edited by asemisldkfj; 19th February 2013 at 01:57 AM. Reason: adding link
Reply With Quote
  #7   (View Single Post)  
Old 19th February 2013
asemisldkfj's Avatar
asemisldkfj asemisldkfj is offline
Fdisk Soldier
 
Join Date: Aug 2008
Posts: 50
Thanked 1 Time in 1 Post
Default

There's also fail2ban which according to this blog post can be integrated with pf with a little bit of manual configuration.
__________________
chat.taucher.net #bsd
Reply With Quote
Reply

Tags
ssh, ssh brute force attack, ssh hammering, ssh probes

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FAMP+Wordpress jail not working anymore unixjingleman FreeBSD General 0 10th September 2012 01:52 PM
NAUTILUS does not display /etc/fstab contents anymore vermaden FreeBSD General 0 13th April 2011 06:58 AM
My keyboard is not working properly anymore in OpenBSD newbsdied OpenBSD General 2 4th November 2010 11:20 PM
Protection against Fingerprinting magnesik OpenBSD Security 0 6th February 2010 12:12 AM
Can't passwd on all accounts anymore ck2323 FreeBSD General 1 7th October 2009 03:28 AM


All times are GMT. The time now is 09:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick