Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Password Gropers Are Now Trying High Ports

Posted by timothy on from the for-higher-love dept.

badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?

6 of 349 comments (clear)

  1. Use random IPv6 from a /64 range by Anonymous Coward · · Score: 4, Interesting

    Typically server hosting with ipv6 will assign a /64 range to each box. Assign your ssh port to a randomly generated address somewhere i the range (2**64 addresses) and port scanning will never find it.

  2. Re:No by SuricouRaven · · Score: 4, Interesting

    It's not for security.

    It's to stop the script kiddies of the internet wasting your bandwidth and cluttering your logs with thousands upon thousands of rejection messages in their futile attempts to gain access. They can't get in, but their efforts are annoying.

  3. Dumbass parroting. by Anonymous Coward · · Score: 5, Interesting

    It seems security by obscurity has lost the game once more.

    How, exactly?

    By ensuring the vast majority of brute force attacks - which hit port 22 - fail?

    Security isn't fucking binary, and obscurity is a perfectly valid layer of the onion.

    1. Re:Dumbass parroting. by astralagos · · Score: 5, Interesting
      Security through obscurity is one of the most spectacularly misunderstood concepts in information security, partly because it's gotten confused with open source politics. The core concept behind it (Kerckhoffs' principle) is best stated as "assume that the enemy knows your system as well as you do". In cryptosystems this means that the secret is a controlled and limited entity - the key. The key must -still- be hidden and controlled, but Kerckhoff's principle ensures that you have only one thing to have to control. Various federal agencies used to, for example, assume that the first version of any cryptosystem they sold would be bought by Moscow and rapidly analyzed.

      Well and good, but all any security implementation buys you is *time*. The real problem with StO is that the time it buys you is unpredictable, and in Kerckhoffs' era of large and slow system upgrades, it might take years to update a cryptosystem once it was broken. Malware authors have happily used StO for years -- for example, evading detection mechanisms by using a number of off the shelf packers in sequence. The approach works because they replace their malware faster than anyone figures out the packing sequence. The windtalkers during WWII were a security through obscurity approach, and it worked fine for the duration of the war, but would have gone horribly in the next one.

      Now, what we're dealing with here is network defense, which isn't crypto. In network defense, creative lying is enormously helpful because you can use it to differentiate between your ignorant attackers and knowledgeable members of the community. The majority of attackers scan horizontally (all hosts on a fixed number of ports) rather than vertically (all ports on a number of hosts) because vertical scanning is a waste of time. Most attackers normally hit 9-10 ports and then move onto the next potential target -- they don't see the network in terms of what the hosts *are*, just what they can *exploit*. Moving SSH to a random port means that the attacker now has to spend 6000x the effort to figure out of there's anything on the host he cares about, and he's probably not going to bother when there are nice sysadmins out there happy to put everything on port 22 (as always, I don't have to outrun the bear. I just have to outrun you.) Copy it with some aggressive port blocking (like port 22) or a threshold random walk scan detector and you've got a perfectly fine way to ignore idiots. It's also worth noting that the mentioned port is 2222, which tends to be "stupid port manipulation rule #2" among folks (the other one being to add 1 in front of the port numbers, I can't tell you how fascinating it was to watch port 16888 the first time we blocked bittorrent).

  4. Re:Low Hanging Fruit by bcmm · · Score: 4, Interesting

    And the bots are REALLY stupid. I have more than one internet-connected machine with a key-only sshd open to the internet, and, infuriatingly, they try to brute-force it anyway. That is, even though they don't even get a chance to offer a password, they still make multiple attempts to connect...

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  5. Very few by PktLoss · · Score: 4, Interesting

    We're running a network of 80+ servers around the world (https://wonderproxy.com).

    We've moved in stages getting things off standard ports.

    Whole network standard - several hundred attempts per day
    a few standard, rest on non-standard ports - tens of attacks per day
    all non-standard ports - 0-5 attacks per day.

    It's been worth doing just for the reduced reporting volume in our status systems.

    --
    paul reinheimer