Topic: Need to run ssh on a non-standard port

[ourspolaire]

Hi,

I am concerned by security .  My sshd log displays many attacks .  Here is a sample:

2008-05-04 21:01:45.531939500 Received disconnect from 85.25.131.136: 11: Bye Bye
2008-05-04 21:01:46.677870500 Invalid user t1na from 85.25.131.136
2008-05-04 21:01:46.678815500 input_userauth_request: invalid user t1na
2008-05-04 21:01:46.951883500 Failed password for invalid user alexis from 85.25.131.136 port 42809 ssh2
2008-05-04 21:01:47.093235500 Received disconnect from 85.25.131.136: 11: Bye Bye
2008-05-04 21:01:48.293841500 Invalid user art from 85.25.131.136
2008-05-04 21:01:48.294965500 input_userauth_request: invalid user art
2008-05-04 21:01:48.417330500 Invalid user a from 85.25.131.136
2008-05-04 21:01:48.418238500 input_userauth_request: invalid user a
2008-05-04 21:01:49.042610500 Failed password for invalid user t1na from 85.25.131.136 port 43575 ssh2
2008-05-04 21:01:49.185258500 Received disconnect from 85.25.131.136: 11: Bye Bye
2008-05-04 21:01:50.354765500 Invalid user logic from 85.25.131.136
2008-05-04 21:01:50.355699500 input_userauth_request: invalid user logic
2008-05-04 21:01:50.658260500 Failed password for invalid user art from 85.25.131.136 port 44186 ssh2
2008-05-04 21:01:50.781146500 Failed password for invalid user a from 85.25.131.136 port 44200 ssh2
2008-05-04 21:01:50.800809500 Received disconnect from 85.25.131.136: 11: Bye Bye
2008-05-04 21:01:50.923828500 Received disconnect from 85.25.131.136: 11: Bye Bye
2008-05-04 21:01:51.957970500 Invalid user desiree from 85.25.131.136
2008-05-04 21:01:51.958928500 input_userauth_request: invalid user desiree
2008-05-04 21:01:52.122592500 Invalid user b from 85.25.131.136
2008-05-04 21:01:52.123219500 input_userauth_request: invalid user b
2008-05-04 21:01:52.397789500 Invalid user slim from 85.25.131.136
2008-05-04 21:01:52.398173500 input_userauth_request: invalid user slim
2008-05-04 21:01:52.721058500 Failed password for invalid user logic from 85.25.131.136 port 45063 ssh2

Is there an easy way to limited those attacks?
... like after 10 attempts you can not log for 30 minutes.
... like after each attempt you add 1 second more to log on (so after 10 attempts, you must wait 10 seconds to do an attempt.)

Any idea to protect my opened connections (i.e. ssh, ftp, vpn & netbios)?   

[jester]

Please search!
You might want to look at: Denyhosts.

HTH.

[byte]

I am concerned by security .

Then please don't post on a public forums if you feel you potentially have a security issue, as every time you post a new/reply thread you see this underlined:

Don't report security issues here - Contact security at contribs dot org

My sshd log displays many attacks .  Here is a sample:

If you have your ssh port on port 22 then I wouldn't be shocked, search the forums and see the wiki documentation on different approaches.

Could you please re title this thread as its not described your issue correctly. Thanks.

[ourspolaire]

                   __NNNNNNN__
               .JNNNNNNNNNNNNNNNL.
              NNNNF`    (N)     `"NNNN.
            JNNN`        (N)          4NNL
           (NNF           (N)           `NN)
          .NNN            (N)              (NN
          (NN)            JNL               NN)
          (NN)       _ NNNNN_           NN)
          (NNL      JNNN4NFNNN_      .NN
           4NN)   JNNN` (N) `4NNL  .NNF
            4NNNNNN`   (N)   `NNNLNNN
             `NNNL.       (N)      .JNNN)
               "NNNNNN_JNL_JNNNNN"
                  `4NNNNNNNNN"`     

[guest22]

I don't understand the above post. Is there any value in this message towards the people that are trying to help?

[chris burnat]

Hello Oursepolaire,
Your use of the Forked Symbol adopted by the antiwar movement of the 60s as a peace sign has puzzled a few people... Please be reassured, there is no firing squad, and there is no war.  You have just been on the receiving end of a few "brisk" comments as a result of raising the "Security" flag in an open forum, and asking questions which have been answered many times. Actually, if you check the answers provided in this post, and do a little research, you will understand the issue better and find a solution to your problem if indeed you insist in enabling SSH access on your server. Doing so invites all sorts of bad folks out there on the Internet to try to crack your server, a fact of life, and the reason why there is a note recommending that SSH be left disabled unless you know what you are doing...Hope this help, and please do not give up!
chris

PS: Would you please modify the subject line to avoid creating undue concernsa about security.

[warren]

IMHO , everyone who wants to enable ssh MUST USE public-private Keys:

http://wiki.contribs.org/SSH_Public-Private_Keys

[cactus]

IMHO , everyone who wants to enable ssh MUST USE public-private Keys:

http://wiki.contribs.org/SSH_Public-Private_Keys

I second that, you are wise to do so indeed.

[arne]

But this question has a proper heading and it referes to a problem that is easy sloved via the admin panel !?

In the admin panel: Security -> remote access -> Secure shell settings -> TCP Port for secure shell access

Its a good idea to use something else than port 22 as there is quite a big number of automated scanners that will find port 22.

I agree:

                   __NNNNNNN__
               .JNNNNNNNNNNNNNNNL.
              NNNNF`    (N)     `"NNNN.
            JNNN`        (N)          4NNL
           (NNF           (N)           `NN)
          .NNN            (N)              (NN
          (NN)            JNL               NN)
          (NN)       _ NNNNN_           NN)
          (NNL      JNNN4NFNNN_      .NN
           4NN)   JNNN` (N) `4NNL  .NNF
            4NNNNNN`   (N)   `NNNLNNN
             `NNNL.       (N)      .JNNN)
               "NNNNNN_JNL_JNNNNN"
                  `4NNNNNNNNN"`    

Peace and Love 

.. And it wouldn't be working with an IP filters as those scanning packets has thousands of souce adresses.

.. And I used public-private Keys for a while but returned to use ssh with password login at a unstandard port, as it works well enough (for me) and is more easy to use.

What works work.

[cactus]

But this question has a proper heading and it referes to a problem that is easy sloved via the admin panel !?

In the admin panel: Security -> remote access -> Secure shell settings -> TCP Port for secure shell access

Its a good idea to use something else than port 22 as there is quite a big number of automated scanners that will find port 22.

Don't be fooled that they will only scan on port 22, they do scan a lot of other ports as well. Therefore changing your SSH port is (most likely) not more than a (temporary) reduction in log noise, it certainly will not be an improvement to your servers security (compared to running SSH at the default port) as the risk of being hit by a denial of service or brute force attack is still there, and the changes of being discovered and on success exploited are practically the same.

.. And it wouldn't be working with an IP filters as those scanning packets has thousands of souce adresses.

And that is why you should stop this as early as possible, if you use public/private keys the server will not even prompt for a username/password entry as it already has determined that the keys do not match and immediately close the connection.

.. And I used public-private Keys for a while but returned to use ssh with password login at a unstandard port, as it works well enough (for me) and is more easy to use.

That is your choice, but it certainly is a strong reduction of safety compared to the IMHO relatively light burden of SSH with a public/private key (you could for instance install putty on a USB key, with the private key as well and run it all from the key). My choice is to always use public/private keys.

What works work.

True, but what works and is save is a different story all together.

To conclude a good and informative and not too long read on the mechanism of prtscanning: http://www.auditmypc.com/freescan/readingroom/port_scanning.asp

[arne]

Well, I think I have practiced all the scanning and atacking technics that is mentioned for more than ten years now.

The book I started up with in the early days was the first issue of hacking-exposed:
http://books.mcgraw-hill.com/sites/osborne/he5/index.html

During the years I think I have practiced all of the methods of this book and some other books as well, but I think I would recomend Hacking Exposed as the best single book source for network security, according to my tast.

I think that the basic principle of security actually is "what works work". Theory can say something about what might work and why. Real testing over time will say what actually does work.

As an exsample: An unmodified sme server might be attached some houndreds or thousands times per day on port 22 using diverce brute force technics. You can see these attacks in the log.

After using an other unstandard port and some other minor modifications I can see that the number of attacks has decreased from some thousands on weekly basis to zero for the last 6 months.

If I did not know bether I would be using that USB key, but as I think it is safe enough from a brute force point of wiew with an average of zero attemps per month, I does not use that key.

When it comes to how networks are scanned, how targets is picked out and etc, I think I know how I have done these things during the years. (But all practice within legal limits.)

Security is not so much a theoretical thing as I will see it. When you connect to Internet or set up a server you will be attacked. That is 100 percent for sure. Then I think it is a good idea to stydy these attacks and to monitor how these attacks is carried out. If you can reduse the nuber of attacks from a level of thousands or more to zero, or a few, you will in most cases have an ok level of security. Filtering sorce ip's will have allmost zero effect as some of these attacks is carried out while warying the source ip, some times for series of packets and some time for individual packets. (Does not understand completely why they does this, but it can be seen in the log or online via a traffic monitor.)

[arne]

I just checked out if the old security tools still work on the SME 7.3 so I did: "yum install nmap", "yum install iptraf" anf "yum install wireshark". They all With these simple tools most of the methods mentioned in this tread and the Hacking Exposed book.

Man iptraf, man nmap should explain those two.

Wireshark is still runned as "tethereal" on the SME 7.3 server, as far as I can see. For ethereal/tetherel this info can be used: http://www.ethereal.com/docs/man-pages/tethereal.1.html

With some understanding, knowledge and testing it is not neccessary to believe all these things that is mentioned in those smart web pages and no one needs to be superstitious when it comes to network security. It's just a question about not to belive in to much, and just do some tests to see what really does happen.

Peace and love.

[elmarconi]

Don't be fooled that they will only scan on port 22, they do scan a lot of other ports as well. Therefore changing your SSH port is (most likely) not more than a (temporary) reduction in log noise, it certainly will not be an improvement to your servers security (compared to running SSH at the default port) as the risk of being hit by a denial of service or brute force attack is still there, and the changes of being discovered and on success exploited are practically the same.

Changing the port has reduced 99% of scanning noise. IMHO most script kiddy scanners will only do the 22.
Probably they assume if you're capable of changing the port, the chance that you'll be running ssh with a dictionairy pwd are slim. So they stop waisting bandwith/CPU and move on to the next victim...

[arne]

Correct. If the portnuber has been changed to something unstandard the time that will be needed to scan a network segment will be increased with a factor typical something like 1000. Hackers will usually search the most easy targets first, and when you have changed to an unstandard port you have indicated that you might not be among the most easy targets.

A ssh server should as I see it "normally" be configured not to identyfy itself as a ssh server. The ssh server of the SME 7.3 idenify itself as "SSH-2.0-OpenSSH_3.9p1". So even if it it is runned on a unstandard port it is rather easy to discover that it is a SSH server.

The basic prisiple for ssh server configuration, as described in Hacking Exposed is to not let the ssh server be configured to identify itself this way, as far as I can remeber it. (Red it last time when revision 5 was new, so I could be incorrect on this detail.)

If you can see that it is a server on some port, without any responce, than you will slow down the attach process for the attacker or also often too fool him to leave your server.

I believe that the SME 7.3 can be modified to behave like this.

But "what works work" and if there is just a few attempts to guess a password during a month, I think that the chanse that it will be guessed correctly is zero from a practical point of view. If there is thousands of attemts on a standard port, something might happen, using brute force attack or other technics like buffer overflow, and etc.

[chris burnat]

Moving to the discussion section of the forum. a more appropriate venue for this topic.