Isn't it just good security practice to limit telnet/SSH access to only a few choice hosts/subnets? I know I'd never allow the 0/0 net access to a signon screen, even if it is SSH. If you're on vacation and need to access something, call your NOC, and have them temporarily allow your dynamic address for SSH. When a hacker finds an open SSH host, they think two things - This host is important to someone, and that they need more doughnuts... Chuck -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Frank Louwers Sent: Tuesday, November 15, 2005 3:03 AM To: nanog@nanog.org Subject: Re: a record? On Tue, Nov 15, 2005 at 12:01:00AM +0100, Peter Dambier wrote:
Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?
don't do that! Lots of (access) isps around the world (esp here in Europe) block those ports (in and out), so if you ever need emergency access to your system from a network you don't know, you'll find yourself blocked. Kind Regards, Frank Louwers -- Openminds bvba www.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
On Nov 15, 2005, at 12:52 PM, Church, Chuck wrote:
Isn't it just good security practice to limit telnet/SSH access to only a few choice hosts/subnets? I know I'd never allow the 0/0 net access to a signon screen, even if it is SSH. If you're on vacation and need to access something, call your NOC, and have them temporarily allow your dynamic address for SSH. When a hacker finds an open SSH host, they think two things - This host is important to someone, and that they need more doughnuts...
That is an excellent idea. As soon as I hire a NOC for my personal boxes, I'll get right on that. But, since I Am Not An Isp, I doubt that is going to happen soon. Remember, not every box on the Internet is supported by a whole network of resources (physical and human). -- TTFN, patrick
I said many times - just use non standard port. Number of hackerts who discover this port wil decrease approx 10,000 times, to almost 0 (number). (Of course, except if you are a bank). Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22). ----- Original Message ----- From: "Patrick W. Gilmore" <patrick@ianai.net> To: <nanog@nanog.org> Cc: "Patrick W. Gilmore" <patrick@ianai.net> Sent: Tuesday, November 15, 2005 11:02 AM Subject: Re: a record?
On Nov 15, 2005, at 12:52 PM, Church, Chuck wrote:
Isn't it just good security practice to limit telnet/SSH access to only a few choice hosts/subnets? I know I'd never allow the 0/0 net access to a signon screen, even if it is SSH. If you're on vacation and need to access something, call your NOC, and have them temporarily allow your dynamic address for SSH. When a hacker finds an open SSH host, they think two things - This host is important to someone, and that they need more doughnuts...
That is an excellent idea. As soon as I hire a NOC for my personal boxes, I'll get right on that. But, since I Am Not An Isp, I doubt that is going to happen soon.
Remember, not every box on the Internet is supported by a whole network of resources (physical and human).
-- TTFN, patrick
Or OpenBSD with pf and authpf: http://www.openbsd.org/faq/pf/authpf.html Austin Alexei Roudnev wrote:
I said many times - just use non standard port. Number of hackerts who discover this port wil decrease approx 10,000 times, to almost 0 (number).
(Of course, except if you are a bank).
Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22).
----- Original Message ----- From: "Patrick W. Gilmore" <patrick@ianai.net> To: <nanog@nanog.org> Cc: "Patrick W. Gilmore" <patrick@ianai.net> Sent: Tuesday, November 15, 2005 11:02 AM Subject: Re: a record?
On Nov 15, 2005, at 12:52 PM, Church, Chuck wrote:
Isn't it just good security practice to limit telnet/SSH access to only a few choice hosts/subnets? I know I'd never allow the 0/0 net access to a signon screen, even if it is SSH. If you're on vacation and need to access something, call your NOC, and have them temporarily allow your dynamic address for SSH. When a hacker finds an open SSH host, they think two things - This host is important to someone, and that they need more doughnuts...
That is an excellent idea. As soon as I hire a NOC for my personal boxes, I'll get right on that. But, since I Am Not An Isp, I doubt that is going to happen soon.
Remember, not every box on the Internet is supported by a whole network of resources (physical and human).
-- TTFN, patrick
On 11/20/05, Alexei Roudnev <alex@relcom.net> wrote:
Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22).
Or VPN in, or set up a tunnel of some sort. Have ssh available over the tunneled interface. Yup, lots of options available. Though, if you have a secure ssh and reasonable control of your passwords it is probably safe to leave it at port 22 rather than resorting to security by obscurity measures like running it on a higher number port or (as at least one webhost does) running it on 443, with some kind of shim listening on that port, intercepting requests to it and redirecting them to apache or sshd as appropriate.
Security by obscurity eliminates all (100%) of this automated scans and automated attacks. So, having SSH on port 63023 (for example) and seen probes, you can be 100% sure that someone have SPECIFIC interest in your site, and so you can spend time and investigate, what he is looking for (by, for example, allowing to break into sandbox). It is impossible with port 22, because 99.9% of this _attempts_ will be just _blind search attempts_, so you will not be able to concentrate on _really dangerous_ specific interest to your (because if I want to break into your site, and if I am serious, then it is only matter of time when I succeed - for example, I can use insiders, janitors, faked messages etc... so it is quite important of see such attacks from beginning, in clear field, and to prevent them by non-technical methods in addition to technical ones). It is like 'NO TRESPASSING' sign on your private road - having this sign, you can be (relatively) sure, that if you see intruder, he is (1) burglar, (2) someone who lost in space and want to ask _where I am_, (3) FedEXP delivery guy, but not just _strolling around one without any goal_. It is first line selection, which is quite important because it decrease number of events in thousands times. Of course, this is only SIGN. Add good fence, rifle etc (castle, water channel, draw bridge, knights -:)) if you have something which bad guys are interested in. But post NO TRESPASSIGN first of all. ----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Alexei Roudnev" <alex@relcom.net> Cc: "Patrick W. Gilmore" <patrick@ianai.net>; <nanog@nanog.org> Sent: Saturday, November 19, 2005 7:02 PM Subject: Re: a record? On 11/20/05, Alexei Roudnev <alex@relcom.net> wrote:
Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22).
Or VPN in, or set up a tunnel of some sort. Have ssh available over the tunneled interface. Yup, lots of options available. Though, if you have a secure ssh and reasonable control of your passwords it is probably safe to leave it at port 22 rather than resorting to security by obscurity measures like running it on a higher number port or (as at least one webhost does) running it on 443, with some kind of shim listening on that port, intercepting requests to it and redirecting them to apache or sshd as appropriate.
On 11/20/05, Alexei Roudnev <alex@relcom.net> wrote:
Of course, this is only SIGN. Add good fence, rifle etc (castle, water channel, draw bridge, knights -:)) if you have something which bad guys are interested in. But post NO TRESPASSIGN first of all.
When you put it that way, fair enough. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sat, 19 Nov 2005, Alexei Roudnev wrote:
Security by obscurity eliminates all (100%) of this automated scans and automated attacks. So, having SSH on port 63023 (for example) and seen probes, you can be 100% sure that someone have SPECIFIC interest in your
This is just security by outrunning the bear. The assumption is bears will stop chasing you if they catch a different hiker first. Unfortunately, we now have decades of experience in cybersecurity that this isn't true. It appears to work for a while, but on the Internet bears are always hungry and learn. There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer. SSH already has a No Trespassing banner. You may just not have a big enough sample to see what is actually happening.
sean@donelan.com (Sean Donelan) wrote:
Security by obscurity eliminates all (100%) of this automated scans and automated attacks. So, having SSH on port 63023 (for example) and seen probes, you can be 100% sure that someone have SPECIFIC interest in your
This is just security by outrunning the bear. The assumption is bears will stop chasing you if they catch a different hiker first.
You're failing to catch the intention here.
Unfortunately, we now have decades of experience in cybersecurity that this isn't true. It appears to work for a while, but on the Internet bears are always hungry and learn. There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer.
Funnily, I see many many more scanning attempts for the same port (or handful of ports) across entire networks than the other way around. And as stated before: If somebody scans 63023, he has interest in your site and is worth the effort of doing something about it. That's the whole point in changing the port. Changing the port is not making the system more secure, it only filters out passers-by. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
On Nov 20, 2005, at 6:17 AM, Elmar K. Bins wrote:
Unfortunately, we now have decades of experience in cybersecurity that this isn't true. It appears to work for a while, but on the Internet bears are always hungry and learn. There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer.
Funnily, I see many many more scanning attempts for the same port (or handful of ports) across entire networks than the other way around.
And as stated before: If somebody scans 63023, he has interest in your site and is worth the effort of doing something about it. That's the whole point in changing the port.
Changing the port is not making the system more secure, it only filters out passers-by.
I'm going to repeat what Sean said, because you clearly didn't read what he said: "There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer." Allow me to re-state again in slightly different language so you understand this time: Changing your port may (will?) lower the number of automated scans you see hitting your daemon, but it will _NOT_ eliminate them. IOW: Just because someone is probing for an SSH daemon on 65K ports against your box does _NOT_ mean he has a specific interest in your box. If you honestly believe that just 'cause someone tried "ssh -p 63xxx $YOUR.BOX" it means he is specifically targeting your box, well, that is your prerogative. You are almost certain to be wrong at least part of the time, though. -- TTFN, patrick
Are you sure? ?? statistics shows me opposite.
"There are people actively scanning for any open ports running any protocol, without a SPECIFIC interest in your computer."
I mean - for ANY. Pretty easy to check - set up access liost with 'log' for 2 ports - port 22 and port 63023, and show us number of hits in 1 week. My statistics shows 0 count on big non standard ports. Reason is simple - full range scan is very slow, and have very low ratio of success, so it is relatively useless.
Allow me to re-state again in slightly different language so you understand this time:
Changing your port may (will?) lower the number of automated scans you see hitting your daemon, but it will _NOT_ eliminate them. IOW: Just because someone is probing for an SSH daemon on 65K ports against your box does _NOT_ mean he has a specific interest in your box.
Probing - not; trying to guess password - 100% YES. But probing rate is 0 , to my surprtise.
If you honestly believe that just 'cause someone tried "ssh -p 63xxx $YOUR.BOX" it means he is specifically targeting your box, well, that is your prerogative. You are almost certain to be wrong at least part of the time, though.
-- TTFN, patrick
patrick@ianai.net (Patrick W. Gilmore) wrote:
I'm going to repeat what Sean said, because you clearly didn't read what he said:
You're trying to be harsh, even though I don't understand why. I read what you just rephrased, and I understood it fully, believe me. Let me explain my lines of thought here. I am fully aware of people scanning the full range of ports, but then, it's a _WHOLE LOT_ less full-port-range scans than full-address-range scans. You will see that in your logs, too. If the guys have found an interesting machine, they will scan all ports, sure, but then you _WANT TO DEAL_ with these guys. Whether it is because they are interested in you, or whether it is because they found a box worth cracking. That of course leaves aside the few guys who really try full-port-range scans on a lot of boxes or, accidentally, the ones I look over. I may be wrong in assuming they are taking interest, but I take interest in them and do something. It still is a lot less incidents to focus on. Saving unnecessary work is all that this is about, not whether or not I believe something (this being safer than that, that guy having a specific interest in this, whatever). Actually, I really don't care about people scanning closed or blocked ports. Except for a few potential target addresses, that is. But of course I am not doing this by reading server logfiles and wading through folks trying dictionary attacks on just-found-to-exist ssh ports. That's what firewall and ID systems are good at. Most of the time I get interested when "they" get interested, or when there's someone coming up, doing something more elaborate than running one of the easy scripts. Apart from that, I am simply not interested, because I have other work to do. And if I get rid of "dummy alerts" by changing the port for a "generic login" service, so be it. It's a tool to save work. You don't have to use it. Elmar.
On Sun, 20 Nov 2005, Suresh Ramasubramanian wrote:
On 11/20/05, Alexei Roudnev <alex@relcom.net> wrote:
Other approach exists as well - SecureID on firewall. Login to firewall, authenticate, and have dynamic access list which opens ssh for you (and still keep ssh on port != 22).
Or VPN in, or set up a tunnel of some sort. Have ssh available over the tunneled interface. Yup, lots of options available.
Though, if you have a secure ssh and reasonable control of your passwords it is probably safe to leave it at port 22 rather than resorting to security by obscurity measures like running it on a higher number port or (as at least one webhost does) running it on 443, with some kind of shim listening on that port, intercepting requests to it and redirecting them to apache or sshd as appropriate.
Amen. Now, without any consideration regarding security, obscurity or whatever, I'd say that having an sshd on port 443 somewhere is a good idea if you happen to use a gprs network where all except 'web' ports are filtered (orange.fr comes to mind - at least they used to do that when i was still living in france) - yann
On 11/21/05, Yann Berthier <yb@bashibuzuk.net> wrote:
Amen. Now, without any consideration regarding security, obscurity or whatever, I'd say that having an sshd on port 443 somewhere is a good idea if you happen to use a gprs network where all except 'web' ports are filtered (orange.fr comes to mind - at least they used to do that when i was still living in france)
In such a situation, you might find this project by my good friend Nikhil Shankar interesting It is rather old, and I haven't used it in a few years, but I'm reasonably sure it still works just fine - http://freshmeat.net/projects/smsterm/ -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Mon, 21 Nov 2005, Suresh Ramasubramanian wrote:
On 11/21/05, Yann Berthier <yb@bashibuzuk.net> wrote:
Amen. Now, without any consideration regarding security, obscurity or whatever, I'd say that having an sshd on port 443 somewhere is a good idea if you happen to use a gprs network where all except 'web' ports are filtered (orange.fr comes to mind - at least they used to do that when i was still living in france)
In such a situation, you might find this project by my good friend Nikhil Shankar interesting
It is rather old, and I haven't used it in a few years, but I'm reasonably sure it still works just fine - http://freshmeat.net/projects/smsterm/
Looks pretty cool. I usually use my gprs phone for dialup from my laptop, but i'll give it a try. Thanks, - yann
participants (8)
-
Alexei Roudnev
-
Austin McKinley
-
Church, Chuck
-
Elmar K. Bins
-
Patrick W. Gilmore
-
Sean Donelan
-
Suresh Ramasubramanian
-
Yann Berthier