[rescue] SSH functionality ::WAS::::::::Re: Sun V240
Mouse
mouse at Rodents-Montreal.ORG
Wed Nov 1 20:05:57 CDT 2017
>> Running ssh on a non-standard port is the easiest way to cut out 99%
>> of the logfile noise from bots and scanners. [...]
> It's the easiest, but the least fun.
Agreed. :-)
>> Finally, on the more complex end, you could implement a simple
>> authorization scheme that manipulates firewall rules on the fly. In
>> one case, a webserver was running on the same machine already so I
>> wrote a simple CGI script [...]
> That's a pretty elegant solution, to be honest.
Well, I'd hesitate to call anything depending on a webserver "elegant",
but otherwise, yeah.
In my case, I have my ssh daemon watching for a particular detail of
the protocol; client connections not configured to present that bit of
magic (a) get stuck in an environment in which there are no host keys
at all and thus kex can never succeed, so they never even get a chance
to try to authenticate, and (b) get blacklisted by IP at my border
router for 24 hours. (The latter meaning they don't get to rattle any
of my other doorknobs.) There are a few other doorknob-rattling
behaviours that will also get an IP blacklisted - and sending me
anything at all while blacklisted restarts the 24h timer. (For those
interested in such trivia, the blacklist is cruising at about 2500 IPs
these days. Historically, it's spiked as high as about 6500, back on
2016-11-07, though I think the details of my defenses were different
then so I'm not sure how comparable the numbers are.)
I'm being deliberately vague about the magic detail; not that my
security depends on it - even clients that do pass that test still need
to authenticate, and my servers are configured to never support
password authentication - but it greatly reduces the noise in my logs.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the rescue
mailing list