[geeks] SSH Scans Increasing
Joshua Boyd
jdboyd at jdboyd.net
Thu Aug 21 11:20:56 CDT 2008
On Thu, Aug 21, 2008 at 02:39:30PM +0200, Sheldon T. Hall wrote:
> Phil Stracchino said ...
>
> > I haven't seen it. But then, I got so sick of ssh-dictionary-scanning
> > scriptkiddies filling up my logs day after day, week after week, month
> > after month, and have so few non-local users, that I implemented a
> > whitelist-only pf rule for SSH and FTP connections.
> >
> > Currently I'm pondering the best means to allow users with existing
> > accounts and known SSH keys to remotely authorize new IPs for
> > themselves.
>
> I got tired of the script-kiddies, too. I contemplated moving the SSH
> service to a non-standard port, but this complicated access for one of my
> primary remote-access users, so I couldn't. I whitelisted the secure
> network he'd be calling from, and, for everyone else, I set up a kind of
> ghetto portknocking arrangement. You'd hit a particular high-numbered port,
> which grabbed your IP address but didn't reply, and a script kicked off by
> the connection would put that IP address in the whitelist for the SSH port.
> It was a bit of "security by obscurity" but it worked great.
Wouldn't it be a bit simpler to just run ssh on 2 ports, 22 with a
whitelist and something else without, rather than port knocking?
More information about the geeks
mailing list