[j-nsp] SSH_Brute_Force events

Morgan McLean wrx230 at gmail.com
Thu Apr 5 19:54:00 EDT 2012


Changing the port really isn't useful. Against automated systems just
scanning, sure. If someone wants in, they'll find it.

Morgan

On Thu, Apr 5, 2012 at 4:08 PM, Tim Hogard <thogard at abnormal.com> wrote:

> >
> > On Thu, Apr 5, 2012 at 3:09 PM, Harri Makela <harri_makela at yahoo.com>
> wrote:
> > > Hi Guys
> > >
> > > We are getting "SSH_Brute_Force" alerts quite often from our Intrusion
> prevention systems (IPS) - ISS GX.
> > >
> ...
> > >
> > > change SSH port  system wide from 22 to 10022 ?
> I'm guessing your inside hosts are getting hit and not your
> router/firewall.
>
> This works well if ssh is needed world wide.  I have been doing it for
> years and so far it has never
> caused a propblem that couldn't be fixed by reading a manual and adding a
> command line option.
>
> > > Report the ISP to contact with the customer which is really not a
> practical solution ?
> > >
> > > Any advice will be highly appreciated. I myself new to this and trying
> to document the process.
> >
> > This is a very common occurrence on the open internet. Usually, these
> > remote hosts test out some common account names and passwords, looking
> > for weakly-protected accounts.
>
> These are distributed bruteforce attacks.  A host will pick a common user
> id
> like "bob" and a common password like "letmein" and then scan the world
> trying
> those two and recoding which ones work.
>
> There are others thse use ssh keys on existing hacked systems to work
> their way into any other systems.     Too bad openssh doesn't allow
> keys and passwords at the same time but encrypted keys tends to stop
> this attack.
>
> Another thing is if ssh keys are used by automated systems, you
> don't have to give them a shell that lets them run everything, but you
> can have a shell that only runs the one command that is needed.
>
> > Switching SSH ports to a non-standard port will stop the casual
> > scanner, but doesn't really do anything to mitigate the risk.
> It does mitigate risk buy a calculatable factors.
> i.e.  going from port 22 to 10022 means the attacker needs to scan first
> and that makes that job 10^4 times harder.  Knowing they are after you
> and not just targets on the net gives you info that makes the defense about
> twice as good.  So now your system is 2,000 times better by moving the
> port.
> You still need to sure your IDS knows your running ssh on the new port or
> else you can increase the risk because you don't get warned.
>
> The rules about security through obscurity is that it should never be
> counted on but it is useful as another layer on your security onion.
>
> -tim
> http://web.abnormal.com
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list