You can get 100mb/s DOCSIS 3.0 cable in New York and there are dozens of metro-ethernet providers. You can get fiber from Verizon FiOS in many major markets. The problem is hauling this traffic via large fiber optic cables across a land mass the size of North America dramatically increases the cost per node to deploy services.
We have dramatically different engineering challenges than European nations. Comparing the two is impossible.
"Don't bother changing it to some random port, security through obscurity is total bullshit in this age of port scanners."
You're clearly very uninformed on the actual threat. 99%+ of these attacks are automated attacks from botnets. There's no port scanning it's a waste of resources for them. They just attempt to login via port 22 using a few dozen default passwords and move on.
This has nothing to do with determined hackers. This is to filter out the 99.99999% of failed authentication attempts we're all seeing because of botnets.
You're missing the point. The goal of moving it is to stop the botnets. Now if you see failed attempts to login via SSH on port 12345 you know that it's a much more sophisticated directed attack on your host. Moving the port is more about filtering out the noise.
"First off, do not change your SSH port. It won't do a whole lot for you, and it will be more hassle than it works."
Couldn't disagree more. If you were more familiar with these attacks you'd know that they are botnet driven brute force attempts that only use the default SSH port. And seriously, hassle? What hassle? Having to specify a port? Seriously? Are you kidding me? Anyone I know who's bright enough to use/need ssh access to a host is more than competent to specify a port number. We're talking 99.999999999% here.
"That is an exceptionally bad idea. You're simply increasing the complexity of the entire authentication system, without doing much more than requiring another password."
It's a very small increase in complexity to _dramatically_ decrease the likelihood of a successful attack. It's just "moving ssh to another port" taken a step further.
Is there a piece of software similar to SSHGuard but instead of adding local IPTables rules can function in conjunction with a hardware firewall (eg - Cisco ASA) ? I'm thinking of a device inside the private network pulling logs off hosts in the DMZ and using the results to dynamically manage firewall denies.
I have to assume by easier you mean using certificated based authentication without passwords. This is bad. Not only is it harder to setup but keys can be stolen easily and (very much due to) have to be moved from device to device. What you want is key + password this is "Two Factor Authentication" - something you HAVE (the keyfile) and something you KNOW (the password).
Why are you trying to use a hand grenade to kill a mosquito? Even if you add a device or piece of software to do VPN termination, all you've done is move the problem of brute force attacks there.
There are half a dozen simple software and configuration options that solve this problem far better listed in the comments.
The reason we use VPNs is to tunnel services securely over another network (in this case, the Internet). If the only thing I need is a console session (obviously the case here) what do I gain by using VPN?
"I also fail to see how anyone can maintain even a single password that they change every month, without some kind of system. Especially if it is a strong password, that takes some time&effort to remember."
I see an average of about 40 attempts per attacker so about 25,000 attackers per year. But the analogy is poor anyway. One of those is a physically location easily accessible by maybe a few hundred people. The second is an Internet based resource that can be accessed in a fraction of a second by a billion or so people around the world.
Except that we have probably 100:1 ratio of system admins to surgeons which means society pays faaaar more to employ sysadmins than surgeons. So when you look at the broad picture you are completely incorrect.
He didn't say he agrees with it. But he's right. There are a lot of instances where the loss of a human life had far fewer financial implications than a theft of some customer database. Sad but true.
Not entirely true. First of all "highly qualified" doesn't mean "good". It just means possibly a degree and paper certificates. To be an exceptional system admin takes 4+ years in college and 20+ years of practical experience and being an exceptionally bright individual. To be a surgeon just requires an 8 year medical degree. To be an exceptional surgeon I would assume requires a rare natural gift and/or a lifetime of work. But we're not arguing great doctor vs great system administrator.
We know the number of attempts not the number of attackers. If you assume even a modest 10 attempts per IP address that number expands to one new attacker every 5 minutes. And 100 attempts per attacker comes to nearly 1 attacker per hour.
"Banning attacking subnets is prone to knocking yourself out when people spoof the hell out of their packets."
Most ISPs in the world is performing some form of source based filtering at this point. It's exceptionally difficult to spoof source addresses on the current day Internet. It would be exceptionally difficult to constantly change addresses, even those available to to be routed by the attackers ISP, and from the attacks we're seeing these days, a non-issue. They're very unsophisticated brute force SSH attempts.
You can get an LTO4 Internal drive for $2.5k (HP 1760 Ultrium) hooked to a cheap desktop PC if you don't mind swapping the tapes yourself about $3-3.5k total expenditure. The "enterprise-y" route would be $7-$9k if you want a robot to do the swapping for you (look at HP MLS2024 for example). And that will get you 2U with robot and I believe two 12 slot magazines all LTO4. You can hook this up to a very inexpensive single socket server for around $2k. Then you've got media. LTO4 tapes are running around $40 for 800/1.6 tapes. Total solution that way figure $9k-$11k.
Now compared to disk I'd go with $180 2TB Seagate Barracuda drives for a reasonable option. Three of them give you 3.5+ TB of usable space per customer which meets your requirements with some breathing room. Now the important part - you need a server to put these drives in. So when you're comparing the cost of the infrastructure for tape, don't forget you need infrastructure for the RAID5-array-builder-machine-guy-thing.
There are numerous other advantages for tape as well. Easy encryption, easy restores, less storage space, less likely to fail, etc etc etc. For me tape is a no brainer.
Slashdot Mirror
By what metric? Link to your sources?
You can get 100mb/s DOCSIS 3.0 cable in New York and there are dozens of metro-ethernet providers. You can get fiber from Verizon FiOS in many major markets. The problem is hauling this traffic via large fiber optic cables across a land mass the size of North America dramatically increases the cost per node to deploy services.
We have dramatically different engineering challenges than European nations. Comparing the two is impossible.
"Don't bother changing it to some random port, security through obscurity is total bullshit in this age of port scanners."
You're clearly very uninformed on the actual threat. 99%+ of these attacks are automated attacks from botnets. There's no port scanning it's a waste of resources for them. They just attempt to login via port 22 using a few dozen default passwords and move on.
This has nothing to do with determined hackers. This is to filter out the 99.99999% of failed authentication attempts we're all seeing because of botnets.
You're missing the point. The goal of moving it is to stop the botnets. Now if you see failed attempts to login via SSH on port 12345 you know that it's a much more sophisticated directed attack on your host. Moving the port is more about filtering out the noise.
^ I keep trying to mod this +6 but it's not working
"First off, do not change your SSH port. It won't do a whole lot for you, and it will be more hassle than it works."
Couldn't disagree more. If you were more familiar with these attacks you'd know that they are botnet driven brute force attempts that only use the default SSH port. And seriously, hassle? What hassle? Having to specify a port? Seriously? Are you kidding me? Anyone I know who's bright enough to use/need ssh access to a host is more than competent to specify a port number. We're talking 99.999999999% here.
"That is an exceptionally bad idea. You're simply increasing the complexity of the entire authentication system, without doing much more than requiring another password."
It's a very small increase in complexity to _dramatically_ decrease the likelihood of a successful attack. It's just "moving ssh to another port" taken a step further.
Is there a piece of software similar to SSHGuard but instead of adding local IPTables rules can function in conjunction with a hardware firewall (eg - Cisco ASA) ? I'm thinking of a device inside the private network pulling logs off hosts in the DMZ and using the results to dynamically manage firewall denies.
I have to assume by easier you mean using certificated based authentication without passwords. This is bad. Not only is it harder to setup but keys can be stolen easily and (very much due to) have to be moved from device to device. What you want is key + password this is "Two Factor Authentication" - something you HAVE (the keyfile) and something you KNOW (the password).
Why are you trying to use a hand grenade to kill a mosquito? Even if you add a device or piece of software to do VPN termination, all you've done is move the problem of brute force attacks there.
There are half a dozen simple software and configuration options that solve this problem far better listed in the comments.
The reason we use VPNs is to tunnel services securely over another network (in this case, the Internet). If the only thing I need is a console session (obviously the case here) what do I gain by using VPN?
http://www.keepassx.org/
+
http://www.newegg.com/Product/Product.aspx?Item=N82E16820241103
Excellent analogy I'm stealing this next time I try to explain this exact scenario.
"I also fail to see how anyone can maintain even a single password that they change every month, without some kind of system. Especially if it is a strong password, that takes some time&effort to remember."
http://www.keepassx.org/
1 million attempts != 1 million attackers
I see an average of about 40 attempts per attacker so about 25,000 attackers per year. But the analogy is poor anyway. One of those is a physically location easily accessible by maybe a few hundred people. The second is an Internet based resource that can be accessed in a fraction of a second by a billion or so people around the world.
Except that we have probably 100:1 ratio of system admins to surgeons which means society pays faaaar more to employ sysadmins than surgeons. So when you look at the broad picture you are completely incorrect.
He didn't say he agrees with it. But he's right. There are a lot of instances where the loss of a human life had far fewer financial implications than a theft of some customer database. Sad but true.
Not entirely true. First of all "highly qualified" doesn't mean "good". It just means possibly a degree and paper certificates. To be an exceptional system admin takes 4+ years in college and 20+ years of practical experience and being an exceptionally bright individual. To be a surgeon just requires an 8 year medical degree. To be an exceptional surgeon I would assume requires a rare natural gift and/or a lifetime of work. But we're not arguing great doctor vs great system administrator.
http://www.blockacountry.com/
We know the number of attempts not the number of attackers. If you assume even a modest 10 attempts per IP address that number expands to one new attacker every 5 minutes. And 100 attempts per attacker comes to nearly 1 attacker per hour.
"Banning attacking subnets is prone to knocking yourself out when people spoof the hell out of their packets."
Most ISPs in the world is performing some form of source based filtering at this point. It's exceptionally difficult to spoof source addresses on the current day Internet. It would be exceptionally difficult to constantly change addresses, even those available to to be routed by the attackers ISP, and from the attacks we're seeing these days, a non-issue. They're very unsophisticated brute force SSH attempts.
You can get an LTO4 Internal drive for $2.5k (HP 1760 Ultrium) hooked to a cheap desktop PC if you don't mind swapping the tapes yourself about $3-3.5k total expenditure. The "enterprise-y" route would be $7-$9k if you want a robot to do the swapping for you (look at HP MLS2024 for example). And that will get you 2U with robot and I believe two 12 slot magazines all LTO4. You can hook this up to a very inexpensive single socket server for around $2k. Then you've got media. LTO4 tapes are running around $40 for 800/1.6 tapes. Total solution that way figure $9k-$11k.
Now compared to disk I'd go with $180 2TB Seagate Barracuda drives for a reasonable option. Three of them give you 3.5+ TB of usable space per customer which meets your requirements with some breathing room. Now the important part - you need a server to put these drives in. So when you're comparing the cost of the infrastructure for tape, don't forget you need infrastructure for the RAID5-array-builder-machine-guy-thing.
There are numerous other advantages for tape as well. Easy encryption, easy restores, less storage space, less likely to fail, etc etc etc. For me tape is a no brainer.
Absolutely, this is just silly. SAS is a fraction of the cost of fiber channel.
Don't forget gdocsfs
Agreed. I'd like to know why tape is impractical for the original poster. There's a reason tape is the industry standard for long term data archival.