[geeks] SSH Scans Increasing
Sheldon T. Hall
shel at artell.net
Thu Aug 21 08:45:17 CDT 2008
Quoth Phil Stracchino ...
> Sheldon T. Hall wrote:
> > I got tired of the script-kiddies, too. I contemplated
> > moving the SSH
> > service to a non-standard port, but this complicated access
> > for one of my
> > primary remote-access users, so I couldn't. I whitelisted
> > the secure
> > network he'd be calling from, and, for everyone else, I set
> > up a kind of
> > ghetto portknocking arrangement. You'd hit a particular
> > high-numbered port,
> > which grabbed your IP address but didn't reply, and a
> > script kicked off by
> > the connection would put that IP address in the whitelist
> > for the SSH port.
> > It was a bit of "security by obscurity" but it worked great.
>
> I was thinking of something along those lines. Connect to a specific
> port, send your SSH key fingerprint. If the fingerprint matches your
> public key already on the system, your IP is whitelisted.
>
> If I wanted to make it more secure, I'd make it "send your IP
> encrypted
> with your SSH key". If it can be decrypted with your ssh pubkey on
> record, and matches the IP you connected from, that IP is whitelisted.
I never went beyond the "hit port X, wait Y seconds, SSH in" bit. In the 2
years I had it set up that way, I had exactly zero probes of the "knock"
port, so I never felt the need to do more.
Of course, I was really only trying to keep the logs clean. I think SSH is,
or can be set up to be, quite secure. I wasn't worried about anyone getting
past the SSH key stuff.
One interesting sidelight, though. I twice got unauthorized SSH probes from
a large network near my home, reported both, and the reports resulted in
that network's security's being upgraded.
-Shel
More information about the geeks
mailing list