| |||||||||||||
agreeagreePosted Mar 6, 2007 15:27 UTC (Tue) by bronson (subscriber, #4806)In reply to: agree by drag Parent article: Single Packet Authorization (Linux Journal)
nmap will find sshd on port 23 without even breaking a sweat. It will also eventually discover it on port 31337, even if you aggressively block portscanning. But it will never find your knock sequence.
I agree that moving sshd's listening port currently deters many script kiddies. But it's like greylisting: it's utterly trivial to get around. Once a lot of people put sshd on different ports, the kiddies will just learn how to use nmap.
(Log in to post comments)
agree Posted Mar 6, 2007 18:17 UTC (Tue) by ofeeley (guest, #36105) [Link] And capturing a list of hostile machine's IP addresses and adding them to /etc/hosts.deny is nice. As long as you're using ssh keys the script kiddie attacks are just providing a handy list of IP's to treat as hostile with very little actual risk.
Not sure I agree Posted Mar 6, 2007 23:09 UTC (Tue) by bronson (subscriber, #4806) [Link] There's a fine line between banning hostile IPs and DOSing yourself. :)
A lot (most?) of the traffic will be arriving on dynamic or shared IP addresses. Just because one packet was hostile, that doesn't mean that all traffic from that address will be hostile. Imagine visiting your parents and not being able to log to your production server just because some script kiddie managed to get most of AOL's proxy IPs on your block list.
Also, I'm not sure that keeping a list of IPs actually buys you much. Most of the script kiddies responsible for this noise won't bother trying any other attack against you. And a determined attacker would never try something as noisy as a dictionary attack. Presumably he would already know that you're using pubkey authentication and a dictionary attack would be futile anyway.
So... Keeping a list of mostly harmless script kiddie IPs doesn't strike me as a very worthwhile endeavor...?
|
|||||||||||||