[lug] keeping up with attacks

Chip Atkinson chip at pupman.com
Tue May 21 05:38:04 MDT 2019


No, it was above 1024.

On Tue, 21 May 2019, Steve Litt wrote:

> Was your new, non standard, ssh port numerically less than 100?
>
> SteveT
>
> On Mon, 20 May 2019 19:30:35 -0600 (MDT)
> Chip Atkinson <chip at pupman.com> wrote:
>
>> changing to a non standard port made all the difference for me. It
>> was on the order of several hits/second sometimes. After the port
>> change, it basically stopped.
>>
>> Disable root logins if not already mentioned.
>>
>> On Sat, 4 May 2019, duboulder wrote:
>>
>>> I use a no root, pubkey only, non standard port ssh as a second
>>> connection method in case the vpn config gets borked during an
>>> update. This a vm at provider with no console access atm. Is there
>>> a better way of providing backup access?
>>>
>>>
>>> Sent with ProtonMail Secure Email.
>>>
>>> ??????? Original Message ???????
>>> On Saturday, May 4, 2019 10:15 AM, Stephen Kraus
>>> <ub3ratl4sf00 at gmail.com> wrote:
>>>
>>>       Why is your SSH public facing anyways? OpenVPN is free, set
>>>       it up and deny any SSH from external IPs. Best practice is to
>>>       always use VPN or a Jump Box to access SSH.
>>>
>>> On Sat, May 4, 2019, 11:52 AM Rob Nagler <nagler at bivio.biz> wrote:
>>>       My $.02 is that fail2ban and blocking specific IPs is
>>>       more expensive than letting sshd handle them. Spend
>>>       your energy on reducing the general risk profile of
>>>       your network and services.
>>>
>>> There are thousands of ssh attempts a day against our servers
>>> to login as root. And, we have only a couple of public ssh
>>> servers. The non-public only let through a handful of trusted
>>> IPs via iptables.
>>>
>>> The public servers don't notice the attacks, because it's so
>>> fast for sshd to reject them. fail2ban increases the server
>>> (and my mental) load without a decrease in risk. There are
>>> millions of bots out there. If sshd has a zero-day, we are
>>> trouble, but so would AWS, GCP, Citibank, Amex, etc. They'll
>>> be the first to be breached, not our servers. My experience
>>> is that those patches come along pretty quickly. Much faster
>>> than the botnets can be reprogrammed to attack the millions
>>> of IPs that are running sshd.
>>>
>>> Rob
>>>
>>> _______________________________________________
>>> Web Page: http://lug.boulder.co.us
>>> Mailing List:
>>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667
>>> channel=#hackingsociety
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667
>> channel=#hackingsociety
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


More information about the LUG mailing list