Silly Port Scans
What does surprise me is the sheer stupidity of the probes. 349 attempts in 15 minutes from one box at Datotel, all trying to ssh root on high ports. Ha! (Yes, I shared this with the @abuse contact for Datotel.) At least the probes routed through Taiwan and the PRC tried common-user-name attacks and gave up after a dozen failures.
I'd forgotten how amusing syslog could be.
14 Replies
I'm actually considering setting up a second sshd on 22, configured to refuse and log every connection. Some providers actually react to abuse@ emails, after all…
> Mar 27 09:06:48 xxx sshd[18874]: Failed password for harrypotter from 216.206.238.156 port 59938 ssh2
So that single administrator with 'harrypotter' on his box had better watch out.
On the other hand, that doesn't really help stop the logs from getting spammed with failed login attempts, so either fail2ban or a firewall rate-limiting rule for new SSH connections is still a good idea.
@rjp:
Unless you have a real need for keyboard-interactive authentication, it's far better to go key-only. Good luck brute-forcing an RSA key!
On the other hand, that doesn't really help stop the logs from getting spammed with failed login attempts, so either fail2ban or a firewall rate-limiting rule for new SSH connections is still a good idea.
Most bots are smart enough to look at the authentication methods and ignore the host if it doesn't offer keyboard-interactive. Why? Because they aren't getting in, so why waste the time?
That said, the single best thing you can do is simply change the port (and add two lines to ~/.ssh/config to make it transparent).
@kbrantley:
That said, the single best thing you can do is simply change the port (and add two lines to ~/.ssh/config to make it transparent).
Can you tell me which lines you're talking about?
> Host mydomain.com
Port 8947
@kbrantley:
> Host mydomain.comPort 8947
Ah, I see what you're saying, it's so you don't have to type the -p 8947, part.
Thanks.
I still see see a very few scans daily on 443, but mostly for the same users every time - root, admin and cisco.
James
@zunzun:
If you need to get out of a corporate firewall, use port 443 if it is available on your Linode. Several people at my office do this, works great.
I still see see a very few scans daily on 443, but mostly for the same users every time - root, admin and cisco.
James
Even if you can't use SSH over 443, you can almost definitely tunnel SSH traffic via your proxy on port 443.
If you want to also run an HTTPS server, look into sslh [
@mikeage:
If you want to also run an HTTPS server, look into sslh [
[url=http://www.rutschle.net/tech/sslh.shtml]http://www.rutschle.net/tech/sslh.shtml]
Very interesting – thanks for the tip.