[lug] keeping up with attacks

Chip Atkinson chip at pupman.com
Mon May 20 19:30:35 MDT 2019


changing to a non standard port made all the difference for me. It was on 
the order of several hits/second sometimes. After the port change, it 
basically stopped.

Disable root logins if not already mentioned.

On Sat, 4 May 2019, duboulder wrote:

> I use a no root, pubkey only, non standard port ssh as a second
> connection method in case the vpn config gets borked during an update.
> This a vm at provider with no console access atm. Is there a better way
> of providing backup access?
> 
> 
> Sent with ProtonMail Secure Email.
> 
> ??????? Original Message ???????
> On Saturday, May 4, 2019 10:15 AM, Stephen Kraus <ub3ratl4sf00 at gmail.com>
> wrote:
>
>       Why is your SSH public facing anyways? OpenVPN is free, set
>       it up and deny any SSH from external IPs. Best practice is to
>       always use VPN or a Jump Box to access SSH.
> 
> On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
>       My $.02 is that fail2ban and blocking specific IPs is
>       more expensive than letting sshd handle them. Spend
>       your energy on reducing the general risk profile of
>       your network and services.
> 
> There are thousands of ssh attempts a day against our servers
> to login as root. And, we have only a couple of public ssh
> servers. The non-public only let through a handful of trusted
> IPs via iptables.
> 
> The public servers don't notice the attacks, because it's so
> fast for sshd to reject them. fail2ban increases the server
> (and my mental) load without a decrease in risk. There are
> millions of bots out there. If sshd has a zero-day, we are
> trouble, but so would AWS, GCP, Citibank, Amex, etc. They'll
> be the first to be breached, not our servers. My experience
> is that those patches come along pretty quickly. Much faster
> than the botnets can be reprogrammed to attack the millions
> of IPs that are running sshd.
> 
> Rob
> 
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List:
> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> 
> 
> 
>


More information about the LUG mailing list