[lug] keeping up with attacks

Steve Litt slitt at troubleshooters.com
Tue May 21 00:50:51 MDT 2019 

Was your new, non standard, ssh port numerically less than 100?

SteveT

On Mon, 20 May 2019 19:30:35 -0600 (MDT)
Chip Atkinson <chip at pupman.com> wrote:

> changing to a non standard port made all the difference for me. It
> was on the order of several hits/second sometimes. After the port
> change, it basically stopped.
> 
> Disable root logins if not already mentioned.
> 
> On Sat, 4 May 2019, duboulder wrote:
> 
> > I use a no root, pubkey only, non standard port ssh as a second
> > connection method in case the vpn config gets borked during an
> > update. This a vm at provider with no console access atm. Is there
> > a better way of providing backup access?
> > 
> > 
> > Sent with ProtonMail Secure Email.
> > 
> > ??????? Original Message ???????
> > On Saturday, May 4, 2019 10:15 AM, Stephen Kraus
> > <ub3ratl4sf00 at gmail.com> wrote:
> >
> >       Why is your SSH public facing anyways? OpenVPN is free, set
> >       it up and deny any SSH from external IPs. Best practice is to
> >       always use VPN or a Jump Box to access SSH.
> > 
> > On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
> >       My $.02 is that fail2ban and blocking specific IPs is
> >       more expensive than letting sshd handle them. Spend
> >       your energy on reducing the general risk profile of
> >       your network and services.
> > 
> > There are thousands of ssh attempts a day against our servers
> > to login as root. And, we have only a couple of public ssh
> > servers. The non-public only let through a handful of trusted
> > IPs via iptables.
> > 
> > The public servers don't notice the attacks, because it's so
> > fast for sshd to reject them. fail2ban increases the server
> > (and my mental) load without a decrease in risk. There are
> > millions of bots out there. If sshd has a zero-day, we are
> > trouble, but so would AWS, GCP, Citibank, Amex, etc. They'll
> > be the first to be breached, not our servers. My experience
> > is that those patches come along pretty quickly. Much faster
> > than the botnets can be reprogrammed to attack the millions
> > of IPs that are running sshd.
> > 
> > Rob
> > 
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List:
> > http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667
> > channel=#hackingsociety
> > 
> > 
> > 
> >  
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety

More information about the LUG mailing list