[NCLUG] Distributed attack

Thu Oct 1 14:47:39 MDT 2009

On 10/01/2009 01:54 PM, grant at amadensor.com wrote:
> Mine has gone from a few a day to hundreds per hour, if not hundreds per
> minute.   The interesting things are how much it has increased, and the

As we mentioned in the SSH presentation last month, move your SSH server to
a non-standard port:

   guin:Documents$ echo $[RANDOM%1024]
   708
   guin:Documents$ grep 708/ /etc/services
   gat-lmd         1708/tcp                # gat-lmd
   gat-lmd         1708/udp                # gat-lmd
   banyan-net      2708/tcp                # Banyan-Net
   banyan-net      2708/udp                # Banyan-Net
   sun-as-iiops    3708/tcp                # Sun App Svr - Naming
   sun-as-iiops    3708/udp                # Sun App Svr - Naming
   scinet          7708/tcp                # scientia.net
   scinet          7708/udp                # scientia.net
   guin:Documents$ sudo fuser -n tcp 708
   zsh: exit 1     sudo fuser -n tcp 708
   guin:Documents$

The above finds a random port and checks to see if it's in use.  In the
above case it's not in use and it's not reserved for anything.

Then modify your /etc/ssh/sshd_config to change the port.

Change your firewall to allow it.

Add entries to the ~/.ssh/config files that you connect to this host from
so that you don't always have to type in the port number.

It is very easy for attackers to find out what port you have moved it to,
but I've been running on a non-standard port since 1996 and it has made
this a non-issue for my systems.

Sean
-- 
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nclug.org/pipermail/nclug/attachments/20091001/dd14a584/attachment.pgp>