[nycbug-talk] SSH attacks

Max Gribov max at neuropunks.org
Wed Sep 10 14:06:06 EDT 2008

Andy Kosela wrote:
> The best defense against such attacks is just to allow SSH connections
> only for specific hosts/subnets. If you really need to allow the whole
> world to access your SSH port just use a nonstandard one and put it
> behind some good firewall. We are using Juniper Netscreen for that.
> Logs are clean.

imho, its not a great idea to move something from privileged port range
to unprivileged one - now you have to modify your egress filtering to
allow connections to some random port >1024 on other networks, meaning
any user on a unix system can potentially bind any software to that port
on that remote system.. makes me feel a little weird about it.

i honestly believe that throttling (a la pf) and public keys is the best
mitigation for this bruteforce nonsense.. you can also argue that moving
smtp off port 25 will prevent spam - and it probably will, but will make
life a pain in the ass for a while

> If you can't put it behind firewall even editing /etc/hosts.allow can help.
> Andy Kosela
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

More information about the talk mailing list