[nycbug-talk] another thread: sshd zombie attacks

George Rosamond george at ceetonetechnology.com
Tue May 19 19:32:38 EDT 2009 

matt at atopia.net wrote:
> I just block connections after 3 failed login attempts for an hour. Works nicely. 
> 
> If anyone wants the script. I also have one that blocks after 3 attempts whether successful or not in 30 second period that only uses pf. 
> 
> ------Original Message------
> From: Christopher Olsen
> To: george at ceetonetechnology.com
> To: Matt Juszczak
> Cc: talk at lists.nycbug.org
> Subject: RE: [nycbug-talk] Audit Solution
> Sent: May 19, 2009 18:51
> 
> Its funny you mention the zombie attempts my logs get cluttered with failed attempts nothing I worry about I considered moving the port but assumed they would eventually find it. How's the different port working for you?
> 

moving this to a different thread, which has been beaten to death in the 
past. . .online and off :)

There's potential issues with having sshd listening on a nonprivileged port.

But the higher priority to me, at least at this point, is to be able to 
bypass even dealing with the zombies.

I was convinced of it not because of "security by obscurity" (please, 
don't bait with that), but because I heard cases of disk i/o going 
through the ceiling under such attacks (in the ddos version of the 
attack), and switching the listening port quickly changed it.  This is 
*without* various scripts, firewall rules, etc., having the hassle and 
the associated overhead in those respective cases.

These are zombies. . .they are looking at port 22, not another port at 
this point.  They aren't (yet) smart enough to find other ports 
listening for sshd and then adjusting from there.

"Hiding" among 65535 tcp ports is looking for obscurity if you're 
talking about crackers.

Is it defense against crackers or future mutations of the zombie 
attacks?  No. . . but then use public/private ssh keys, strong passwds, 
firewall rules, etc.  Measure and counter-measure, with a lot of layers 
before that.

So, the answer is 'yes', I like it, because now I don't have the 
overhead, plus I read my relatively clean dailies everyday.

George

(please don't top-post. Reply inline or below.  It makes the threads 
that get long easier to follow)

More information about the talk mailing list