Comments on: 2 SSH Brute-Force-Attack Countermeasures

By: Email Content Security

Email Content Security — Tue, 02 Jun 2009 05:01:03 +0000

Email Content Security...

Keep 'em coming :)...

By: m-p{3}

m-p{3} — Wed, 10 Dec 2008 12:32:20 +0000

I already use a different port (443) and it works very well so far, no failed logins (except mine..) in the logs. I should consider using keys, but I’d like to use it simultaneously with a password, to make it more like a two-factors authentication. We learn something new everyday :)

By: m-p{3}

m-p{3} — Wed, 10 Dec 2008 12:32:00 +0000

By: double oh

double oh — Tue, 09 Dec 2008 19:54:25 +0000

since this is tagged security by obscurity, i’ll let it pass.

By: double oh

double oh — Tue, 09 Dec 2008 19:54:00 +0000

since this is tagged security by obscurity, i’ll let it pass.

By: bob schäfer

bob schäfer — Tue, 09 Dec 2008 19:22:25 +0000

great observation. the real trifecta is obscure port + keys only + only from restricted addresses, but honestly, i've had boxes in hostile networks for almost a decade and they all run with ssh on some ephemeral port and there's simply never failed attempts in my logs.

hopefully, people will harken to your advice.

By: bob schäfer

bob schäfer — Tue, 09 Dec 2008 19:22:00 +0000

hopefully, people will harken to your advice.

By: Brett Dreher

Brett Dreher — Tue, 09 Dec 2008 18:43:53 +0000

Don't you feel you should mention that if you have multiple machines if you allow only key based authentication without a password that say once your key gets cracked, like this past year with the Debian issue, that someone will now have full access to your entire network without even using a single password?

Passwords are not poor security practice if you use secure ones and rotate them sufficiently.

Couldn't agree more on changing the ssh port, a decent option is that you set two ports for ssh on your machine, the default and an open one (say 22 and 24). Simply have your firewall only forward port 24 to the machine and it will save you from having to append the port number when you would like to access the machine from other local ones.

By: Brett Dreher

Brett Dreher — Tue, 09 Dec 2008 18:43:00 +0000

Passwords are not poor security practice if you use secure ones and rotate them sufficiently.

By: Daniel Miessler

Daniel Miessler — Tue, 09 Dec 2008 16:05:43 +0000

nerfed,

Denyhosts is being bypassed by this; that's the whole point of the story. They don't care if you deny one IP or 100; they have thousands to try from. See?

By: Daniel Miessler

Daniel Miessler — Tue, 09 Dec 2008 16:05:00 +0000

nerfed,

Denyhosts is being bypassed by this; that's the whole point of the story. They don't care if you deny one IP or 100; they have thousands to try from. See?

By: nerfed

nerfed — Tue, 09 Dec 2008 16:01:04 +0000

I use Denyhosts (http://denyhosts.sourceforge.net/) on several production machines. It’s a small python script that drops IP’s of hosts into /etc/hosts.deny that try to brute force. You can set the threshold.

By: nerfed

nerfed — Tue, 09 Dec 2008 16:01:00 +0000