Use a public key encrypted with a passphrase and do not use the default port. Also do not allow root login.
I changed from the default to a random port and I saw a dramatic decrease in the amount of dictionary/brute force attacks.
Use a public key encrypted with a passphrase and do not use the default port. Also do not allow root login.
I changed from the default to a random port and I saw a dramatic decrease in the amount of dictionary/brute force attacks.
The "bots" these days are far smarter than that and will scan all ports for all services. It's extremely easy to program this and "bots" do not care how hard they have to work.
I had an ssh server listening on port 23 (which is the standard FTP port) and I still got plenty of SSH login attempts.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Trusty Tahr 64 bit, AMD Phenom II 955 Quad Core 3.2GHz, GeForce 9600 GT
16G PC2-6400 RAM, 128 GB SSD, Twin 1TB SATA 7200 RPM RAID0
Port 23 is telnet's standard port, which is also a target for bot scans. Once the bot knows a port is open they usually fingerprint the service running in that port.
If you want to avoid this bot attacks you should move your ssh service to a high, not common port like 10000 (choosing port 8080 or 6667 is also a bad idea). In that way you will avoid the service of being detected by average scans.
Of course this does not increase the security of the host but at least will make your log more readable and you'll be able to detect specific attacks against you.
did i hear $100, so if i create a honey pot on port 9999 and if it gets scanned in a couple of weeks i get $100?
ok ok, as was said earlyer use a usb stick to cary a key with you, if that is not possible use ssl to secure an online login where you can download the key from. This will aid in the defence from mitem attacks althogh still far from best... i don't even open port 22 to the wan...
i too recomend you use a usb device to carry a key around with you.
i too recomend denyhosts if you are to enable password auth to the wan (expect alot of emails)...
also if you are open to the wan protect yourself from the latest vulns by ensureing your software is up to date!
also switch of all headers that can identify you software versions wether it's ssh/apache/tomcat/ftp/mail whatever...
also yes bots only use weak/boaring passwords, however they also post back details on software versions found... could make you a next targeted attack...
and for info on port scan it takes me around 40min to scan 10000 ports...
also firewall your server!
there are 3 major ip ranges that can easily be blocked: european, asian and us... choose the acordingly...
My personal website with blog n apps
http://www.mikejonesey.co.uk/
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Trusty Tahr 64 bit, AMD Phenom II 955 Quad Core 3.2GHz, GeForce 9600 GT
16G PC2-6400 RAM, 128 GB SSD, Twin 1TB SATA 7200 RPM RAID0
thanks for all the advice guys. I ended up just setting up public/private key authentication. I figure I can make all the files I need to access available through http and email myself for all the files I want to put back on the server.
I have also installed fail2ban. I'm not entirely sure if its working as I pretty much have the default config installed. when I run sudo iptables -L I find this though. Not sure if it means that it is working or not.
As for a firewall I'm not doing anything with iptables(as you can see) or any other firewall. I am sitting behind a router that forwards port 80 and 22(i will consider changing the port for ssh). Is this adequate or does it still leave me at risk?Code:jonzo@jonzo-station:~$ sudo iptables -L [sudo] password for jonzo: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
I guess I must just be a special case where I haven't gotten a single ssh login attempt in years being a different port (for a home server, not some commercial server).
You're not a special case. Same happened to me and most people I know who did the same.
Being a target means being on the internet. End of line.
Takedown blog (hungarian)
Bookmarks