wrx230 at gmail
Apr 5, 2012, 4:54 PM
Post #7 of 9
Changing the port really isn't useful. Against automated systems just
scanning, sure. If someone wants in, they'll find it.
On Thu, Apr 5, 2012 at 4:08 PM, Tim Hogard <thogard [at] abnormal> wrote:
> > On Thu, Apr 5, 2012 at 3:09 PM, Harri Makela <harri_makela [at] yahoo>
> > > Hi Guys
> > >
> > > We are getting "SSH_Brute_Force" alerts quite often from our Intrusion
> prevention systems (IPS) - ISS GX.
> > >
> > >
> > > change SSH port system wide from 22 to 10022 ?
> I'm guessing your inside hosts are getting hit and not your
> This works well if ssh is needed world wide. I have been doing it for
> years and so far it has never
> caused a propblem that couldn't be fixed by reading a manual and adding a
> command line option.
> > > Report the ISP to contact with the customer which is really not a
> practical solution ?
> > >
> > > Any advice will be highly appreciated. I myself new to this and trying
> to document the process.
> > This is a very common occurrence on the open internet. Usually, these
> > remote hosts test out some common account names and passwords, looking
> > for weakly-protected accounts.
> These are distributed bruteforce attacks. A host will pick a common user
> like "bob" and a common password like "letmein" and then scan the world
> those two and recoding which ones work.
> There are others thse use ssh keys on existing hacked systems to work
> their way into any other systems. Too bad openssh doesn't allow
> keys and passwords at the same time but encrypted keys tends to stop
> this attack.
> Another thing is if ssh keys are used by automated systems, you
> don't have to give them a shell that lets them run everything, but you
> can have a shell that only runs the one command that is needed.
> > Switching SSH ports to a non-standard port will stop the casual
> > scanner, but doesn't really do anything to mitigate the risk.
> It does mitigate risk buy a calculatable factors.
> i.e. going from port 22 to 10022 means the attacker needs to scan first
> and that makes that job 10^4 times harder. Knowing they are after you
> and not just targets on the net gives you info that makes the defense about
> twice as good. So now your system is 2,000 times better by moving the
> You still need to sure your IDS knows your running ssh on the new port or
> else you can increase the risk because you don't get warned.
> The rules about security through obscurity is that it should never be
> counted on but it is useful as another layer on your security onion.
> juniper-nsp mailing list juniper-nsp [at] puck
juniper-nsp mailing list juniper-nsp [at] puck