[Dshield] SSH Bots

Rick.Wanner@sasktel.sk.ca Rick.Wanner at sasktel.sk.ca
Tue Mar 7 14:54:59 GMT 2006


list-bounces at lists.dshield.org wrote on 03/07/2006 04:58:16 AM:

> On 3/6/06, lucy at lucindrea.com <lucy at lucindrea.com> wrote:
> >
> > 1. switch the port hat ssh works on from 22 to somthing odd like 678 
or
> > somthing.( not the best soultion , but it does work )
> 
> It works like a charm.  Unfortunately it brings the "security by
> obscurity" trolls out of the woodwork.
> 
Or install something like denyhosts (denyhosts.sourceforge.net) to block 
out the offending IPs. I installed it on one of our Internet facing 
servers a little less than a year ago and so far it has blocked out ~250 
IPs.  The newer version will block out IPs for a designated period of time 
and then remove them.  Pretty slick!

On my home machine I run ssh on a non-standard port (I don't use ports 
below 1024 because they periodically get probes), I also run denyhosts on 
that machine.  I have not had one ssh brute force attempt in over two 
years.  It is the low hanging fruit approach.  There are more than enough 
ssh servers on the Internet on port 22, why go looking for non-standard 
ones.  Security by obscurity should not be your only security, but it 
doesn't hurt to supplement other security measures.

Rick
Any resemblance to a troll is purely circumstantial.



NOTICE:  This confidential e-mail message is only for the intended 
recipient(s). If you are not the intended recipient, be advised that 
disclosing, copying, distributing, or any other use of this message, is 
strictly prohibited. In such case, please destroy this message and notify 
the sender.


More information about the list mailing list