[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?

On Sat, 2005-01-08 at 22:38 +0000, Paul wrote:


> There are few things in my logs which are suspicious...
> First are a couple like this
> Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
> from ::ffff:
> Jan  1 22:18:36 T7 sshd[31409]: Address maps to prox.wares-
> consulting.com, but this does not map back to the address - POSSIBLE
> I seem to be subjected to a dictionary attack.

  It's been going on for several months now.  Must be some kind of worm
out there, but it's harmless provided you take some precautions.

> Should I be overly worried? I've closed ssh on my router, so that's one
> line of defence in the way :-)

  And that probably covers it all.  If you need ssh enabled on an
internet connected host, I would recommend at least one, maybe all of
the following:

1) Allow rsa key logins only.
2) Restrict by IP address, if possible.
3) Restrict by username if possible.
4) Run sshd on a port other than 22.
5) Use port knocking if you are really paranoid.  (Though that hasn't
   had enough field testing to trust it as the only security measure,
   for sure.)

-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]