Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-13 Thread Tom Buskey
On Tue, Jun 13, 2017 at 12:39 PM, Joshua Judson Rosen <
roz...@hackerposse.com> wrote:

> On 06/12/2017 01:27 PM, Dan Coutu wrote:
> >> On Jun 12, 2017, at 13:15, Tom Buskey  t...@buskey.name>> wrote:
> >>
> >> As Ted said in the 2nd sentence, it's running on a non-standard port.
> Yes, it helps lot to reduce garbage in the logs.
> >
>
But adding liberal ignore rules into logcheck (or whatever) helps a lot
> with logspam ;)
>
> That's probably a better solution to deal with log spam.


>
> >> Maybe it's not non-standard enough?
>
> Portscans are easy enough, especially using the new `horde of slow brutes'
> techniques from the 1990s I've always been impressed with how _few_
> of those I saw, and by the fact that moving services to nonstandard ports
> was as effective as it was at reducing the connection-attempts to those
> services.
>
> The whole "I have ssh on a secret port to secure it against attacks" thing
> has always seemed fundamentally bogus to me: the _premise_ of ssh itself is
>

Yes, security by obscurity.  Changing the port *is* like hiding the key
under a rock instead of the doormat.

Removing the identification sent back is similar.  I've configured a few
web servers to not reply Apache version x.y.z on OS...  Why make it easy to
figure out the proper exploit for your server?


> that you're supposed to be able to assume that the network is in fact
> extremely hostile--more hostile than any network where
> `hiding in a non-standard port' could ever be useful.
>

The only reason to put any service on a non-standard port is to force the
attackers to spend resources finding it.  In the days of botnets, they have
infinite resources to find and attack it.

It does remove those attackers w/o resources from attacking your service.
You could argue it's a layer to reduce the surface: you must have a port
scanning tool to attack.



Having the port closed except when in use would reduce the attack surface.
There's various ways to do this: open by time, only when another port is
contacted, after port knocking, only certain sources.

Back in the modem days, I had used a system that would dial you up at your
preregistered number after you called it from that number.



>
>
> >> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  <mailto:j...@codemeta.com>> wrote:
> >>
> >> I have to second this suggestion - changing the port did wonders
> for our servers. Of course, as Dan says, it works
> >> for script kiddies, not so much against a determined attack on your
> server.
> >>
> >> --Bruce
> >>
> >>
> >> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
> >>> If you can change the port number it does wonders against the
> script kiddies.
> >>>
> >>> Just remember to add the new port, restart sshd, then remove the
> old port.  :)
> >>>
> >>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  <mailto:tedro...@gmail.com>> wrote:
> >>>
> >>> Thanks, all for the recommendations. I hadn't seen sshguard
> before;
> >>> I'll give that a try.
> >>>
> >>> I do have Fail2Ban in place, and have customized a number of
> scripts,
> >>> mostly for Apache (trying to invoke asp scripts on my LAMP
> server
> >>> results in instaban, for example) and it is what it reporting
> the ssh
> >>> login failures.
> >>>
> >>> I have always seen them, in the 10 years I've had this server
> running,
> >>> but the frequency, periodicity and international variety
> (usually
> >>> they're all China, Russian, Romania) seemed like there might be
> >>> something else going on.
> >>>
> >>> Be careful out there.
> >>>
> >>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <
> mkomarin...@wayga.org <mailto:mkomarin...@wayga.org>> wrote:
> >>> > sshguard is really good since it'll drop in a iptables rule
> to block an IP
> >>> > address after a number of attemps (and prevent knocking on
> other ports too).
> >>> >
> >>> > Yubikey as 2FA is pretty nice too.
> >>> >
> >>> >  Original message 
> >>> > From: Bruce Dawson  j...@codemeta.com>>
> >>> > Date: 6/11/17 10:58 AM (GMT-05:00)
> >>> > To: gnhlu

Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-13 Thread Dan Garthwaite
There is no security in obscurity - what changing the port offers is orders
of magnitude less noise in the logs.  If you or your tools never look at
the logs than it understandably doesn't matter one whit to you.  However if
you are trying to keep on top of things with log analyzers, OSSEC,
elasticsearch, etc, it is on the MUST DO list.

On Tue, Jun 13, 2017 at 12:39 PM, Joshua Judson Rosen <
roz...@hackerposse.com> wrote:

> On 06/12/2017 01:27 PM, Dan Coutu wrote:
> >> On Jun 12, 2017, at 13:15, Tom Buskey  t...@buskey.name>> wrote:
> >>
> >> As Ted said in the 2nd sentence, it's running on a non-standard port.
> Yes, it helps lot to reduce garbage in the logs.
> >
> > Insisting on the use of an ssh key instead of login credentials also
> helps a lot.
>
> Helps with the security, anyway; and not blacklisting based on
> source-address
> means that you'll never be locked out of your own server just because
> some machine at the hotel where you're staying is (or has been) part of
> the communist party^W^W^W a botnet.
>
> *Doesn't* help cut down on logspam. ;)
>
> But adding liberal ignore rules into logcheck (or whatever) helps a lot
> with logspam ;)
>
> I don't care about the probes of nonexistent accounts, for example;
> I just care about attempts on accounts that someone/something might
> actually
> be able to log into if they somehow got a compromised key;
> so I ignore attempts on nonexistent logins--and many usernames that do
> exist
> but aren't able to _log in_, and I explicitly monitor for things like
> attempts
> on my own specific username
>
> >> Maybe it's not non-standard enough?
>
> Portscans are easy enough, especially using the new `horde of slow brutes'
> techniques from the 1990s I've always been impressed with how _few_
> of those I saw, and by the fact that moving services to nonstandard ports
> was as effective as it was at reducing the connection-attempts to those
> services.
>
> The whole "I have ssh on a secret port to secure it against attacks" thing
> has always seemed fundamentally bogus to me: the _premise_ of ssh itself is
> that you're supposed to be able to assume that the network is in fact
> extremely hostile--more hostile than any network where
> `hiding in a non-standard port' could ever be useful.
>
>
> >> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  <mailto:j...@codemeta.com>> wrote:
> >>
> >> I have to second this suggestion - changing the port did wonders
> for our servers. Of course, as Dan says, it works
> >> for script kiddies, not so much against a determined attack on your
> server.
> >>
> >> --Bruce
> >>
> >>
> >> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
> >>> If you can change the port number it does wonders against the
> script kiddies.
> >>>
> >>> Just remember to add the new port, restart sshd, then remove the
> old port.  :)
> >>>
> >>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  <mailto:tedro...@gmail.com>> wrote:
> >>>
> >>> Thanks, all for the recommendations. I hadn't seen sshguard
> before;
> >>> I'll give that a try.
> >>>
> >>> I do have Fail2Ban in place, and have customized a number of
> scripts,
> >>> mostly for Apache (trying to invoke asp scripts on my LAMP
> server
> >>> results in instaban, for example) and it is what it reporting
> the ssh
> >>> login failures.
> >>>
> >>> I have always seen them, in the 10 years I've had this server
> running,
> >>> but the frequency, periodicity and international variety
> (usually
> >>> they're all China, Russian, Romania) seemed like there might be
> >>> something else going on.
> >>>
> >>> Be careful out there.
> >>>
> >>>     On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <
> mkomarin...@wayga.org <mailto:mkomarin...@wayga.org>> wrote:
> >>> > sshguard is really good since it'll drop in a iptables rule
> to block an IP
> >>> > address after a number of attemps (and prevent knocking on
> other ports too).
> >>> >
> >>> > Yubikey as 2FA is pretty nice too.
> >>> >
> >>> >  Original message 
> >>> > From: Bruce Dawson  j..

Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-13 Thread Michael Kazin
>
>
> *Doesn't* help cut down on logspam. ;)
>
> But adding liberal ignore rules into logcheck (or whatever) helps a lot
> with logspam ;)
>
>
> >> Maybe it's not non-standard enough?


The combination of both of these reminded me of port knocking. Now that's
what I'd call a "non-standard port".
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-13 Thread Joshua Judson Rosen
On 06/12/2017 01:27 PM, Dan Coutu wrote:
>> On Jun 12, 2017, at 13:15, Tom Buskey > <mailto:t...@buskey.name>> wrote:
>>
>> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes, 
>> it helps lot to reduce garbage in the logs.
>
> Insisting on the use of an ssh key instead of login credentials also helps a 
> lot.

Helps with the security, anyway; and not blacklisting based on source-address
means that you'll never be locked out of your own server just because
some machine at the hotel where you're staying is (or has been) part of
the communist party^W^W^W a botnet.

*Doesn't* help cut down on logspam. ;)

But adding liberal ignore rules into logcheck (or whatever) helps a lot with 
logspam ;)

I don't care about the probes of nonexistent accounts, for example;
I just care about attempts on accounts that someone/something might actually
be able to log into if they somehow got a compromised key;
so I ignore attempts on nonexistent logins--and many usernames that do exist
but aren't able to _log in_, and I explicitly monitor for things like attempts
on my own specific username

>> Maybe it's not non-standard enough?

Portscans are easy enough, especially using the new `horde of slow brutes'
techniques from the 1990s I've always been impressed with how _few_
of those I saw, and by the fact that moving services to nonstandard ports
was as effective as it was at reducing the connection-attempts to those 
services.

The whole "I have ssh on a secret port to secure it against attacks" thing
has always seemed fundamentally bogus to me: the _premise_ of ssh itself is
that you're supposed to be able to assume that the network is in fact
extremely hostile--more hostile than any network where
`hiding in a non-standard port' could ever be useful.


>> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson > <mailto:j...@codemeta.com>> wrote:
>>
>> I have to second this suggestion - changing the port did wonders for our 
>> servers. Of course, as Dan says, it works
>> for script kiddies, not so much against a determined attack on your 
>> server.
>>
>> --Bruce
>>
>>
>> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>>> If you can change the port number it does wonders against the script 
>>> kiddies.
>>>
>>> Just remember to add the new port, restart sshd, then remove the old 
>>> port.  :)
>>>
>>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche >> <mailto:tedro...@gmail.com>> wrote:
>>>
>>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>>> I'll give that a try.
>>>
>>> I do have Fail2Ban in place, and have customized a number of 
>>> scripts,
>>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>>> results in instaban, for example) and it is what it reporting the 
>>> ssh
>>> login failures.
>>>
>>> I have always seen them, in the 10 years I've had this server 
>>> running,
>>> but the frequency, periodicity and international variety (usually
>>> they're all China, Russian, Romania) seemed like there might be
>>> something else going on.
>>>
>>> Be careful out there.
>>>
>>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
>>> mailto:mkomarin...@wayga.org>> wrote:
>>> > sshguard is really good since it'll drop in a iptables rule to 
>>> block an IP
>>> > address after a number of attemps (and prevent knocking on other 
>>> ports too).
>>> >
>>> > Yubikey as 2FA is pretty nice too.
>>> >
>>> >  Original message 
>>> > From: Bruce Dawson mailto:j...@codemeta.com>>
>>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>>> > To: gnhlug-discuss@mail.gnhlug.org 
>>> <mailto:gnhlug-discuss@mail.gnhlug.org>
>>> > Subject: Re: What's the strategy for bad guys guessing a few ssh 
>>> passwords?
>>> >
>>> > sshguard takes care of most of them (especially the high 
>>> bandwidth ones).
>>> >
>>> > The black hats don't care - they're looking for vulnerable 
>>> systems. If
>>> > they find one, they'll exploit it (or not).
>>> >
>>>

Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Greg Rundlett (freephile)
On Mon, Jun 12, 2017 at 4:00 PM, Ted Roche  wrote:

> On Mon, Jun 12, 2017 at 1:15 PM, Tom Buskey  wrote:
> > As Ted said in the 2nd sentence, it's running on a non-standard port.
> Yes,
> > it helps lot to reduce garbage in the logs.
> >
> > Maybe it's not non-standard enough?
> >
>
> Whadyamean? I'm using the same non-standard port everyone else does!
>
> Oh...
>
>
> : ?

~ Greg who is still on port 22 and uses fail2ban
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Ted Roche
On Mon, Jun 12, 2017 at 1:15 PM, Tom Buskey  wrote:
> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes,
> it helps lot to reduce garbage in the logs.
>
> Maybe it's not non-standard enough?
>

Whadyamean? I'm using the same non-standard port everyone else does!

Oh...



-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Dan Coutu
Insisting on the use of an ssh key instead of login credentials also helps a 
lot.

Dan

> On Jun 12, 2017, at 13:15, Tom Buskey  wrote:
> 
> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes, 
> it helps lot to reduce garbage in the logs.
> 
> Maybe it's not non-standard enough?
> 
> sshguard looks interesting.  Thanks!
> 
> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  <mailto:j...@codemeta.com>> wrote:
> I have to second this suggestion - changing the port did wonders for our 
> servers. Of course, as Dan says, it works for script kiddies, not so much 
> against a determined attack on your server.
> 
> --Bruce
> 
> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>> If you can change the port number it does wonders against the script kiddies.
>> 
>> Just remember to add the new port, restart sshd, then remove the old port.  
>> :)
>> 
>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche > <mailto:tedro...@gmail.com>> wrote:
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>> 
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>> 
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>> 
>> Be careful out there.
>> 
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski > <mailto:mkomarin...@wayga.org>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an IP
>> > address after a number of attemps (and prevent knocking on other ports 
>> > too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson mailto:j...@codemeta.com>>
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org <mailto:gnhlug-discuss@mail.gnhlug.org>
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org <mailto:gnhlug-discuss@mail.gnhlug.org>
>> > http://mail.gnhlug.org/mailman/listinfo/gnhl

Fwd: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Ted Roche
Agreed. However, now that the kiddies have bot armies of millions of
machines, they just scan all the ports. I've been running non-standard
ports on most servers, and I am seeing similar traffic on many of the
machines (with unrelated domains, IP ranges, geography, CIDRs and
ISPs) makes me think they're approaching 100% coverage.

On Mon, Jun 12, 2017 at 9:59 AM, Dan Garthwaite  wrote:
> If you can change the port number it does wonders against the script
> kiddies.
>
> Just remember to add the new port, restart sshd, then remove the old port.
> :)
>
> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:
>>
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>>
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>>
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>>
>> Be careful out there.
>>
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an
>> > IP
>> > address after a number of attemps (and prevent knocking on other ports
>> > too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson 
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh
>> > passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth
>> > ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>>
>>
>>
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com
>> ___
>> gnhlug-discuss mailing list
>> gnhlug-discuss@mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>



--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com


-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Tom Buskey
As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes,
it helps lot to reduce garbage in the logs.

Maybe it's not non-standard enough?

sshguard looks interesting.  Thanks!

On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  wrote:

> I have to second this suggestion - changing the port did wonders for our
> servers. Of course, as Dan says, it works for script kiddies, not so much
> against a determined attack on your server.
>
> --Bruce
>
> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>
> If you can change the port number it does wonders against the script
> kiddies.
>
> Just remember to add the new port, restart sshd, then remove the old port.
>  :)
>
> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:
>
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>>
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>>
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>>
>> Be careful out there.
>>
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an
>> IP
>> > address after a number of attemps (and prevent knocking on other ports
>> too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson 
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh
>> passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth
>> ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>>
>>
>>
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com
>> ___
>> gnhlug-discuss mailing list
>> gnhlug-discuss@mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>
>
>
>
> ___
> gnhlug-discuss mailing 
> listgnhlug-discuss@mail.gnhlug.orghttp://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Bruce Dawson
I have to second this suggestion - changing the port did wonders for our 
servers. Of course, as Dan says, it works for script kiddies, not so 
much against a determined attack on your server.


--Bruce


On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
If you can change the port number it does wonders against the script 
kiddies.


Just remember to add the new port, restart sshd, then remove the old 
port.  :)


On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <mailto:tedro...@gmail.com>> wrote:


Thanks, all for the recommendations. I hadn't seen sshguard before;
I'll give that a try.

I do have Fail2Ban in place, and have customized a number of scripts,
mostly for Apache (trying to invoke asp scripts on my LAMP server
results in instaban, for example) and it is what it reporting the ssh
login failures.

I have always seen them, in the 10 years I've had this server running,
but the frequency, periodicity and international variety (usually
they're all China, Russian, Romania) seemed like there might be
something else going on.

Be careful out there.

On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski
mailto:mkomarin...@wayga.org>> wrote:
> sshguard is really good since it'll drop in a iptables rule to
block an IP
> address after a number of attemps (and prevent knocking on other
ports too).
>
> Yubikey as 2FA is pretty nice too.
>
>  Original message 
> From: Bruce Dawson mailto:j...@codemeta.com>>
> Date: 6/11/17 10:58 AM (GMT-05:00)
> To: gnhlug-discuss@mail.gnhlug.org
    <mailto:gnhlug-discuss@mail.gnhlug.org>
> Subject: Re: What's the strategy for bad guys guessing a few ssh
passwords?
>
> sshguard takes care of most of them (especially the high
bandwidth ones).
>
> The black hats don't care - they're looking for vulnerable
systems. If
> they find one, they'll exploit it (or not).
>
> Note that a while ago (more than a few years), comcast used to probe
> systems to see if they're vulnerable. Either they don't do that any
> more, or contract it out because I haven't see probes from any
of their
> systems in years. This probably holds true for other ISPs, and
various
> intelligence agencies in the world - both private and public, not to
> mention various disreputable enterprises.
>
> --Bruce
>
>
> On 06/11/2017 10:17 AM, Ted Roche wrote:
>> For 36 hours now, one of my clients' servers has been logging ssh
>> login attempts from around the world, low volume, persistent,
but more
>> frequent than usual. sshd is listening on a non-standard port,
just to
>> minimize the garbage in the logs.
>>
>> A couple of attempts is normal; we've seen that for years. But
this is
>> several each  hour, and each hour an IP from a different country:
>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>>
>> There's several levels of defense in use: firewalls, intrusion
>> detection, log monitoring, etc, so each script gets a few
guesses and
>> the IP is then rejected.
>>
>> In theory, the defenses should be sufficient, but I have a concern
>> that I'm missing their strategy here. It's not a DDOS, they are
very
>> low volume. It will take them several millennia to guess enough
>> dictionary attack guesses to get through, so what's the point?
>>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
<mailto:gnhlug-discuss@mail.gnhlug.org>
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
<http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
<mailto:gnhlug-discuss@mail.gnhlug.org>
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
<http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>
>



--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org <mailto:gnhlug-discuss@mail.gnhlug.org>
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
<http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/>




___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Tom Buskey
I always wonder what they're trying to get.  https://krebsonsecurity.com has
lots of info on why they do it, what they do with it and how they make $$.

There's very few consequences to the attacker for "rattling the doorknob"
compared to potential success.


On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:

> Thanks, all for the recommendations. I hadn't seen sshguard before;
> I'll give that a try.
>
> I do have Fail2Ban in place, and have customized a number of scripts,
> mostly for Apache (trying to invoke asp scripts on my LAMP server
> results in instaban, for example) and it is what it reporting the ssh
> login failures.
>
> I have always seen them, in the 10 years I've had this server running,
> but the frequency, periodicity and international variety (usually
> they're all China, Russian, Romania) seemed like there might be
> something else going on.
>
> Be careful out there.
>
> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
> wrote:
> > sshguard is really good since it'll drop in a iptables rule to block an
> IP
> > address after a number of attemps (and prevent knocking on other ports
> too).
> >
> > Yubikey as 2FA is pretty nice too.
> >
> >  Original message ----
> > From: Bruce Dawson 
> > Date: 6/11/17 10:58 AM (GMT-05:00)
> > To: gnhlug-discuss@mail.gnhlug.org
> > Subject: Re: What's the strategy for bad guys guessing a few ssh
> passwords?
> >
> > sshguard takes care of most of them (especially the high bandwidth ones).
> >
> > The black hats don't care - they're looking for vulnerable systems. If
> > they find one, they'll exploit it (or not).
> >
> > Note that a while ago (more than a few years), comcast used to probe
> > systems to see if they're vulnerable. Either they don't do that any
> > more, or contract it out because I haven't see probes from any of their
> > systems in years. This probably holds true for other ISPs, and various
> > intelligence agencies in the world - both private and public, not to
> > mention various disreputable enterprises.
> >
> > --Bruce
> >
> >
> > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >> For 36 hours now, one of my clients' servers has been logging ssh
> >> login attempts from around the world, low volume, persistent, but more
> >> frequent than usual. sshd is listening on a non-standard port, just to
> >> minimize the garbage in the logs.
> >>
> >> A couple of attempts is normal; we've seen that for years. But this is
> >> several each  hour, and each hour an IP from a different country:
> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>
> >> There's several levels of defense in use: firewalls, intrusion
> >> detection, log monitoring, etc, so each script gets a few guesses and
> >> the IP is then rejected.
> >>
> >> In theory, the defenses should be sufficient, but I have a concern
> >> that I'm missing their strategy here. It's not a DDOS, they are very
> >> low volume. It will take them several millennia to guess enough
> >> dictionary attack guesses to get through, so what's the point?
> >>
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
>
>
>
> --
> Ted Roche
> Ted Roche & Associates, LLC
> http://www.tedroche.com
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-12 Thread Dan Garthwaite
If you can change the port number it does wonders against the script
kiddies.

Just remember to add the new port, restart sshd, then remove the old port.
 :)

On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:

> Thanks, all for the recommendations. I hadn't seen sshguard before;
> I'll give that a try.
>
> I do have Fail2Ban in place, and have customized a number of scripts,
> mostly for Apache (trying to invoke asp scripts on my LAMP server
> results in instaban, for example) and it is what it reporting the ssh
> login failures.
>
> I have always seen them, in the 10 years I've had this server running,
> but the frequency, periodicity and international variety (usually
> they're all China, Russian, Romania) seemed like there might be
> something else going on.
>
> Be careful out there.
>
> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
> wrote:
> > sshguard is really good since it'll drop in a iptables rule to block an
> IP
> > address after a number of attemps (and prevent knocking on other ports
> too).
> >
> > Yubikey as 2FA is pretty nice too.
> >
> >  Original message 
> > From: Bruce Dawson 
> > Date: 6/11/17 10:58 AM (GMT-05:00)
> > To: gnhlug-discuss@mail.gnhlug.org
> > Subject: Re: What's the strategy for bad guys guessing a few ssh
> passwords?
> >
> > sshguard takes care of most of them (especially the high bandwidth ones).
> >
> > The black hats don't care - they're looking for vulnerable systems. If
> > they find one, they'll exploit it (or not).
> >
> > Note that a while ago (more than a few years), comcast used to probe
> > systems to see if they're vulnerable. Either they don't do that any
> > more, or contract it out because I haven't see probes from any of their
> > systems in years. This probably holds true for other ISPs, and various
> > intelligence agencies in the world - both private and public, not to
> > mention various disreputable enterprises.
> >
> > --Bruce
> >
> >
> > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >> For 36 hours now, one of my clients' servers has been logging ssh
> >> login attempts from around the world, low volume, persistent, but more
> >> frequent than usual. sshd is listening on a non-standard port, just to
> >> minimize the garbage in the logs.
> >>
> >> A couple of attempts is normal; we've seen that for years. But this is
> >> several each  hour, and each hour an IP from a different country:
> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>
> >> There's several levels of defense in use: firewalls, intrusion
> >> detection, log monitoring, etc, so each script gets a few guesses and
> >> the IP is then rejected.
> >>
> >> In theory, the defenses should be sufficient, but I have a concern
> >> that I'm missing their strategy here. It's not a DDOS, they are very
> >> low volume. It will take them several millennia to guess enough
> >> dictionary attack guesses to get through, so what's the point?
> >>
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
>
>
>
> --
> Ted Roche
> Ted Roche & Associates, LLC
> http://www.tedroche.com
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Ted Roche
Thanks, all for the recommendations. I hadn't seen sshguard before;
I'll give that a try.

I do have Fail2Ban in place, and have customized a number of scripts,
mostly for Apache (trying to invoke asp scripts on my LAMP server
results in instaban, for example) and it is what it reporting the ssh
login failures.

I have always seen them, in the 10 years I've had this server running,
but the frequency, periodicity and international variety (usually
they're all China, Russian, Romania) seemed like there might be
something else going on.

Be careful out there.

On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski  wrote:
> sshguard is really good since it'll drop in a iptables rule to block an IP
> address after a number of attemps (and prevent knocking on other ports too).
>
> Yubikey as 2FA is pretty nice too.
>
>  Original message 
> From: Bruce Dawson 
> Date: 6/11/17 10:58 AM (GMT-05:00)
> To: gnhlug-discuss@mail.gnhlug.org
> Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?
>
> sshguard takes care of most of them (especially the high bandwidth ones).
>
> The black hats don't care - they're looking for vulnerable systems. If
> they find one, they'll exploit it (or not).
>
> Note that a while ago (more than a few years), comcast used to probe
> systems to see if they're vulnerable. Either they don't do that any
> more, or contract it out because I haven't see probes from any of their
> systems in years. This probably holds true for other ISPs, and various
> intelligence agencies in the world - both private and public, not to
> mention various disreputable enterprises.
>
> --Bruce
>
>
> On 06/11/2017 10:17 AM, Ted Roche wrote:
>> For 36 hours now, one of my clients' servers has been logging ssh
>> login attempts from around the world, low volume, persistent, but more
>> frequent than usual. sshd is listening on a non-standard port, just to
>> minimize the garbage in the logs.
>>
>> A couple of attempts is normal; we've seen that for years. But this is
>> several each  hour, and each hour an IP from a different country:
>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>>
>> There's several levels of defense in use: firewalls, intrusion
>> detection, log monitoring, etc, so each script gets a few guesses and
>> the IP is then rejected.
>>
>> In theory, the defenses should be sufficient, but I have a concern
>> that I'm missing their strategy here. It's not a DDOS, they are very
>> low volume. It will take them several millennia to guess enough
>> dictionary attack guesses to get through, so what's the point?
>>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>



-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Joshua Judson Rosen
On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
> 
> A couple of attempts is normal; we've seen that for years. But this is
> several each  hour, and each hour an IP from a different country:
> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> 
> There's several levels of defense in use: firewalls, intrusion
> detection, log monitoring, etc, so each script gets a few guesses and
> the IP is then rejected.
> 
> In theory, the defenses should be sufficient, but I have a concern
> that I'm missing their strategy here. It's not a DDOS, they are very
> low volume. It will take them several millennia to guess enough
> dictionary attack guesses to get through, so what's the point?

Maybe they already have known-good passwords to go along with the usernames,
and they're guessing at *hosts* (or networks) where those combinations work?

Just over a decade ago, a friend who was doing sysadmin at a college
got involved in chasing down someone who had been worming his way
through college/university networks using that same general class
of strategy:

1. find usernames+passwords for staff at an arbitrary university

2. assume people with a network account at one university
   probably have accounts with the same username+password
   on systems at _other_ universities
  (because academics collaborate across institutional boundaries)

3. grow the list hosts you can log into using #2

4. assume that some of the systems you can now log into
   probably have vulnerabilities that allow you to find other
   known-good username+password pairs

5. grow your list of username+password pairs using #4

5. GOTO 1


If you already have a big network of attack-bots, then there's probably
no reason to even restrict the scope to universities.

-- 
Connect with me on the GNU social network: 

Not on the network? Ask me for an invitation to the nhcrossing.com social hub!
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Mark Komarinski
sshguard is really good since it'll drop in a iptables rule to block an IP 
address after a number of attemps (and prevent knocking on other ports too).
Yubikey as 2FA is pretty nice too.
 Original message From: Bruce Dawson  Date: 
6/11/17  10:58 AM  (GMT-05:00) To: gnhlug-discuss@mail.gnhlug.org Subject: Re: 
What's the strategy for bad guys guessing a few ssh passwords? 
sshguard takes care of most of them (especially the high bandwidth ones).

The black hats don't care - they're looking for vulnerable systems. If 
they find one, they'll exploit it (or not).

Note that a while ago (more than a few years), comcast used to probe 
systems to see if they're vulnerable. Either they don't do that any 
more, or contract it out because I haven't see probes from any of their 
systems in years. This probably holds true for other ISPs, and various 
intelligence agencies in the world - both private and public, not to 
mention various disreputable enterprises.

--Bruce


On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
>
> A couple of attempts is normal; we've seen that for years. But this is
> several each  hour, and each hour an IP from a different country:
> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>
> There's several levels of defense in use: firewalls, intrusion
> detection, log monitoring, etc, so each script gets a few guesses and
> the IP is then rejected.
>
> In theory, the defenses should be sufficient, but I have a concern
> that I'm missing their strategy here. It's not a DDOS, they are very
> low volume. It will take them several millennia to guess enough
> dictionary attack guesses to get through, so what's the point?
>

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Bruce Dawson
sshguard takes care of most of them (especially the high bandwidth ones).

The black hats don't care - they're looking for vulnerable systems. If 
they find one, they'll exploit it (or not).

Note that a while ago (more than a few years), comcast used to probe 
systems to see if they're vulnerable. Either they don't do that any 
more, or contract it out because I haven't see probes from any of their 
systems in years. This probably holds true for other ISPs, and various 
intelligence agencies in the world - both private and public, not to 
mention various disreputable enterprises.

--Bruce


On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
>
> A couple of attempts is normal; we've seen that for years. But this is
> several each  hour, and each hour an IP from a different country:
> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>
> There's several levels of defense in use: firewalls, intrusion
> detection, log monitoring, etc, so each script gets a few guesses and
> the IP is then rejected.
>
> In theory, the defenses should be sufficient, but I have a concern
> that I'm missing their strategy here. It's not a DDOS, they are very
> low volume. It will take them several millennia to guess enough
> dictionary attack guesses to get through, so what's the point?
>

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Ken D'Ambrosio
"What's the point?" C'mon, Ted. You know better than that. The point is people 
with weak passwords. Remember the Dyn DDoS? That was brought on entirely by 
devices with default passwords. As is a RasPi attack I read about on Slashdot 
just this AM. Say 90% of servers/devices follow good security practices -- that 
still leaves 10% that are susceptible. I imagine even a 1% return would still 
get you a pretty sweet botnet. So, in my estimation at least, that is the point.

$.02,

-Ken

On June 11, 2017 10:17:35 AM EDT, Ted Roche  wrote:
>For 36 hours now, one of my clients' servers has been logging ssh
>login attempts from around the world, low volume, persistent, but more
>frequent than usual. sshd is listening on a non-standard port, just to
>minimize the garbage in the logs.
>
>A couple of attempts is normal; we've seen that for years. But this is
>several each  hour, and each hour an IP from a different country:
>Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>
>There's several levels of defense in use: firewalls, intrusion
>detection, log monitoring, etc, so each script gets a few guesses and
>the IP is then rejected.
>
>In theory, the defenses should be sufficient, but I have a concern
>that I'm missing their strategy here. It's not a DDOS, they are very
>low volume. It will take them several millennia to guess enough
>dictionary attack guesses to get through, so what's the point?
>
>-- 
>Ted Roche
>Ted Roche & Associates, LLC
>http://www.tedroche.com
>___
>gnhlug-discuss mailing list
>gnhlug-discuss@mail.gnhlug.org
>http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


What's the strategy for bad guys guessing a few ssh passwords?

2017-06-11 Thread Ted Roche
For 36 hours now, one of my clients' servers has been logging ssh
login attempts from around the world, low volume, persistent, but more
frequent than usual. sshd is listening on a non-standard port, just to
minimize the garbage in the logs.

A couple of attempts is normal; we've seen that for years. But this is
several each  hour, and each hour an IP from a different country:
Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.

There's several levels of defense in use: firewalls, intrusion
detection, log monitoring, etc, so each script gets a few guesses and
the IP is then rejected.

In theory, the defenses should be sufficient, but I have a concern
that I'm missing their strategy here. It's not a DDOS, they are very
low volume. It will take them several millennia to guess enough
dictionary attack guesses to get through, so what's the point?

-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/