Questions concerning Security Log

Jeff Vian jvian10 at charter.net
Mon Apr 11 01:33:43 UTC 2005


On Sun, 2005-04-10 at 08:54 -0500, David Hoffman wrote:
> On Apr 9, 2005 6:43 PM, Robert Spangler <bms at zoominternet.net> wrote:
> > I will agree that for a script kiddy this will work, but for someone who is
> > really trying to get in they will figure this out in a short time and then
> > you are no longer protected.  The best bet is to move to an unknown port.
> 
> Sorry. Not true. If it is someone who knows that your system is there,
> and seriously wants to get in, simply moving ports is not going to
> stop them. It is very easy to see which ports respond to a connection
> attempt, and when you find a port that responds, it is not difficult
> to tell that it is an SSH daemon that you connected to.
> 
exactly

> Blocking access based on IP addresses is also not perfect, because
> people who are intent on breaking in can simply try from another
> address... but they you are talking about a big waste of resources
> when you only get a few attempts before getting locked out.
> 
> The method mentioned above does seem to make good sense because after
> only a small number of unsuccessful attempts in a short time, they are
> automatically blocked for a time. And the number of attempts or time
> are configurable.
> 
> The next best thing that can be done to this is to not only block them
> for a period of time, but rather block them until a system
> administrator manually unblocks them.
> 

For a home user (and many businesses as well) it is common that remote
access to a server is from one IP or a small subnet of IPs.  For me that
is from work, with a single firewall egress point, or from home with a
static (fixed for over a year) IP.  How static the home IP is depends
upon your ISP.

A combination of 2 approaches works well for me and has almost 100%
blocked all the ssh attacks on my server. Which is not at my home.
	The timeout of 5 attempts in 5 minutes makes sure that those who can
connect to ssh do not do so with an attack method.
	Only allowing access to SSH from a limited IP address range makes sure
that only those at addresses I have approved are even allowed to touch
ssh on the server.

This may not work for those who are highly mobile, but even big
organizations that use a DMZ for access from both internet and intranet
use the address to limit those hosts that are allowed to connect to
certain ports. 

> -- 
> 
> David
> Registered Linux User 383030 (since everyone else was doing it 8-)
> -----------------------------------------------------------------------
> There are only 10 kinds of people in this world,
> those who understand binary, and those who don't.
> 




More information about the fedora-list mailing list