NonStandard SSH Ports no longer safe from BruteForce Attacks

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

NonStandard SSH Ports no longer safe from BruteForce Attacks

Postby williamconley » Sat Feb 16, 2013 6:15 pm

For those of you who avoided ssh attacks so far by changing to another port (like 222 or 3322? LOL) instead of port 22 ...

From Slashdot member badger.foo who read an article by Peter Hansteen (aka: That grumpy BSD guy):

The inevitable brute force hackers have begun to port scan and no longer ignore non-standard ports. So if you have not checked your sshd logs recently, this would be a good time to search for Invalid user entries and fails. Depending on your log structure, of course. I am surprised it took this long, but it was inevitable. :)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby DruRoland » Sun Feb 17, 2013 12:23 am

DIsable password authentication. Avoid the whole mess and just disable password authentication.

It takes maybe 5 minutes to generate and install a key pair. Best 5 minutes you'll spend all week.
2x ViciBox v.5.0.2-130807 | BUILD: 130809-1410 | SVN Version: 2019 | Asterisk: 1.8.23-vici
Debian 7 MySQL 5.5 server 4-core 16GB RAM Master & Slave
18 seats, outbound/blended with full recording
DruRoland
 
Posts: 52
Joined: Wed Jan 23, 2013 8:33 pm

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby williamconley » Sun Feb 17, 2013 1:14 pm

Nope. They will still brute force, they'll just fail. And while they're doing it, your system will be slow/sluggish.

I like my whitelist only version.

But I thought I would warn others. :)

Remember that once the Hackers find out that there is a live machine there, they will log your IP and come back time and again with a new attack method. phpMyAdmin flaws, SIP account, anything and everything. White list: no chance to guess and they don't even know there is a server there.

So just like using an alternate port, you're getting away with it "for now", but eventually they Will Try Again.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby DomeDan » Mon Feb 18, 2013 4:29 am

For those who like reading slashdot comments: http://it.slashdot.org/story/13/02/16/2 ... high-ports
and for those who like to read the source of the discussion: http://bsdly.blogspot.ca/2013/02/theres ... ports.html

Setup a dedicated machine as firewall that handles all the traffic and requests from the internet, I did
and on that box I have ssh open on an non-standard port and disabled password login.
If you really need people connection to your box over internet then setup openVPN, I did
and used a non-standard port there too and the client can only talk to the vicidial server on the internal network.

This does not mean that you can ignore all other safety on the internal network,
there is many ways people can get access to the local network without even care about the firewall.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby ruben23 » Mon Feb 18, 2013 7:25 am

@ williamconley

can you share how you do your whitelisting..somehow..would help others also.Thanks
SkypeID: rlacumba
IBM x3200 Dual Core 2.4 Ghz.
4GB Ram
VERSION: 2.4-311a
BUILD: 110514-1351
© 2011 ViciDial Group
Asterisk 1.4.27-vici
Another VICI_day, same trunK, same Channel-->Transcode...
ruben23
 
Posts: 1161
Joined: Thu Jul 31, 2008 10:35 am
Location: Davao City, Philippines

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby williamconley » Mon Feb 18, 2013 1:05 pm

We still have to get one more sale before we can push it to the forum freely. (Accountant insists we recoup our investment before publishing it ...). However, if you assemble all the posts I've done on the topic in the past, it's not hard to complete.

But the "base" of it is to use yast to remove all firewall openings and then modify the iptables configuration files specific to OpenSuSE to close any extra open ports (113 ... and any others like ping!). After that, without installing our software, you add an authorized IP address by "yast firewall" and adding custom entries. Each entry can be a single IP or an IP range. Each entry must be made for TCP and for UDP where applicable in this interface.

Up to this point, no special software is required as this is merely the way IPtables security is set up in OpenSuSE.

The addition of our software allows an easy web interface to add IPs (no ssh access required) and a special link for "away missions" (so you can send that special link to remotely operating agents who IP changes regularly, as well as keeping a copy of it in your iPad for access at Starbucks or McDonald's).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby ZoVoS » Tue Feb 19, 2013 9:56 pm

=\ just let established/related connections in on line one and only allow inbound from the voip provider and local network? let all traffic out?

This should sort issues with NTP servers etc as the server establishes its own connection.

or at-least something to that effect. its quite different when you host servers in the cloud.
ZoVoS
 
Posts: 58
Joined: Fri Aug 17, 2012 11:07 am

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby williamconley » Wed Feb 20, 2013 12:32 am

Agree absolutely with "whitelist IPs only". and opensuse already has a method to allow established connections.

but what about remote agents? and the owner on his iPad at Starbucks? (Can't really tell her she cant look at the Real Time Screen while sipping her Latte ... :)

So an easy whitelist solution is quite handy.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby DomeDan » Wed Feb 20, 2013 3:43 am

Or OpenVPN to prevent someone at the coffee shop to simply catch her username and password in the air,
or are you using https for the "special link"?

and yeah, I've setup OpenVPN on a ipad here.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: NonStandard SSH Ports no longer safe from BruteForce Att

Postby williamconley » Wed Feb 20, 2013 11:19 am

To date no one has requested https for the Special Link. But obviously can be added easily. Next upgrade :)

So far, no one has even almost attempted accessing one of these boxes once whitelist is active.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Bing [Bot] and 134 guests