ssh attacks - SSH

This is a discussion on ssh attacks - SSH ; Hi Folks, Similar to another recent thread, "Options to block brute force attacks," I have become paranoid about leaving my ssh port open because I, too, have noticed many connection attempts from unknown domains. If we presume that my password ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: ssh attacks

  1. ssh attacks

    Hi Folks,

    Similar to another recent thread, "Options to block brute force attacks,"
    I have become paranoid about leaving my ssh port open because I, too,
    have noticed many connection attempts from unknown domains.

    If we presume that my password is at least moderately strong, then
    how likely is it that any type of ssh attack will succeed? Is it
    really unsafe to leave the ssh port open? I don't see how, since
    large systems like NC State's computer systems allow ssh logins
    24/7.

    So I guess I'm asking what exactly are the threats, and how likely are
    they to succeed? Also, of course, short of just closing the port, what
    can I do to protect myself?
    --
    % Randy Yates % "I met someone who looks alot like you,
    %% Fuquay-Varina, NC % she does the things you do,
    %%% 919-577-9882 % but she is an IBM."
    %%%% % 'Yours Truly, 2095', *Time*, ELO
    http://home.earthlink.net/~yatescr

  2. Re: ssh attacks


    Randy Yates wrote:

    > Similar to another recent thread, "Options to block brute force attacks,"
    > I have become paranoid about leaving my ssh port open because I, too,
    > have noticed many connection attempts from unknown domains.
    >
    > If we presume that my password is at least moderately strong, then
    > how likely is it that any type of ssh attack will succeed?


    With a moderately strong password, very unlikely.

    You can calculate the probablility of breaking a password (average
    number of attempts) and calculate the time needed to reach that average
    number. The larger the time the less likely an attacker will even keep
    trying.

    > Is it really unsafe to leave the ssh port open?


    No.

    > I don't see how, since large systems like NC State's computer systems
    > allow ssh logins 24/7.
    >
    > So I guess I'm asking what exactly are the threats, and how likely are
    > they to succeed?


    The ones that succeed is mostly due to very weak passwords.

    > Also, of course, short of just closing the port, what
    > can I do to protect myself?


    Use sshd options wisely. With AllowUsers/AllowGroups a system can be
    made highly secure, just close all the "well known" accounts (if you
    look at the sshd log, most attacks are not really dictionary attacks,
    but go for a few well known account names; but don't let your guard
    down, there are dictionary attacks), so you can make the attacker job
    more complex: guess the user name and the password.

    Regards.
    --
    René Berber


  3. Re: ssh attacks

    "René Berber" writes:

    > Randy Yates wrote:
    >
    >> Similar to another recent thread, "Options to block brute force attacks,"
    >> I have become paranoid about leaving my ssh port open because I, too,
    >> have noticed many connection attempts from unknown domains.
    >>
    >> If we presume that my password is at least moderately strong, then
    >> how likely is it that any type of ssh attack will succeed?

    >
    > With a moderately strong password, very unlikely.
    >
    > You can calculate the probablility of breaking a password (average
    > number of attempts) and calculate the time needed to reach that average
    > number. The larger the time the less likely an attacker will even keep
    > trying.
    >
    >> Is it really unsafe to leave the ssh port open?

    >
    > No.
    >
    >> I don't see how, since large systems like NC State's computer systems
    >> allow ssh logins 24/7.
    >>
    >> So I guess I'm asking what exactly are the threats, and how likely are
    >> they to succeed?

    >
    > The ones that succeed is mostly due to very weak passwords.
    >
    >> Also, of course, short of just closing the port, what
    >> can I do to protect myself?

    >
    > Use sshd options wisely. With AllowUsers/AllowGroups a system can be
    > made highly secure, just close all the "well known" accounts (if you
    > look at the sshd log, most attacks are not really dictionary attacks,
    > but go for a few well known account names; but don't let your guard
    > down, there are dictionary attacks), so you can make the attacker job
    > more complex: guess the user name and the password.
    >
    > Regards.
    > --
    > René Berber


    Thanks René.

    If, in addition to locking up common accounts like root from ssh, I
    also used an alternate port, and again if my pasword was moderately
    strong, how likely would it be to get hacked through sshd?
    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  4. Re: ssh attacks

    Randy Yates writes:

    > "René Berber" writes:
    >
    >> Randy Yates wrote:
    >>
    >>> Similar to another recent thread, "Options to block brute force attacks,"
    >>> I have become paranoid about leaving my ssh port open because I, too,
    >>> have noticed many connection attempts from unknown domains.
    >>>
    >>> If we presume that my password is at least moderately strong, then
    >>> how likely is it that any type of ssh attack will succeed?

    >>
    >> With a moderately strong password, very unlikely.
    >>
    >> You can calculate the probablility of breaking a password (average
    >> number of attempts) and calculate the time needed to reach that average
    >> number. The larger the time the less likely an attacker will even keep
    >> trying.
    >>
    >>> Is it really unsafe to leave the ssh port open?

    >>
    >> No.
    >>
    >>> I don't see how, since large systems like NC State's computer systems
    >>> allow ssh logins 24/7.
    >>>
    >>> So I guess I'm asking what exactly are the threats, and how likely are
    >>> they to succeed?

    >>
    >> The ones that succeed is mostly due to very weak passwords.
    >>
    >>> Also, of course, short of just closing the port, what
    >>> can I do to protect myself?

    >>
    >> Use sshd options wisely. With AllowUsers/AllowGroups a system can be
    >> made highly secure, just close all the "well known" accounts (if you
    >> look at the sshd log, most attacks are not really dictionary attacks,
    >> but go for a few well known account names; but don't let your guard
    >> down, there are dictionary attacks), so you can make the attacker job
    >> more complex: guess the user name and the password.
    >>
    >> Regards.
    >> --
    >> René Berber

    >
    > Thanks René.
    >
    > If, in addition to locking up common accounts like root from ssh, I
    > also used an alternate port, and again if my pasword was moderately
    > strong, how likely would it be to get hacked through sshd?


    Todd H. - I'd also like to hear your input on this since I've been
    afraid to open up the port ever since you told me it wasn't a good
    idea.
    --
    % Randy Yates % "The dreamer, the unwoken fool -
    %% Fuquay-Varina, NC % in dreams, no pain will kiss the brow..."
    %%% 919-577-9882 %
    %%%% % 'Eldorado Overture', *Eldorado*, ELO
    http://home.earthlink.net/~yatescr

  5. Re: ssh attacks

    "Randy Yates" typed:
    > "René Berber" writes:
    >> Use sshd options wisely. With AllowUsers/AllowGroups a system can
    >> be made highly secure, just close all the "well known" accounts (if
    >> you look at the sshd log, most attacks are not really dictionary
    >> attacks, but go for a few well known account names; but don't let
    >> your guard down, there are dictionary attacks), so you can make the
    >> attacker job more complex: guess the user name and the password.

    >
    > If, in addition to locking up common accounts like root from ssh, I
    > also used an alternate port, and again if my pasword was moderately
    > strong, how likely would it be to get hacked through sshd?


    Substantially less likely. I *always* advocate using a different port
    for SSH, as well as the various options SSHd supports (some of which
    Rene Berber mentioned). One some systems I administrate, I know only
    two or three people will be logging in from within fixed subnets, so I
    restrict access to SSH at the firewall (but such a solution is not
    feasible in most environments). I would, therefore, suggest moving SSH
    to a different port and using SSHd options to your advantage.

    --
    Ayaz Ahmed Khan

    Then, gently touching my face, she hesitated for a moment as her
    incredible eyes poured forth into mine love, joy, pain, tragedy,
    acceptance, and peace. "'Bye for now," she said warmly.
    -- Thea Alexander, "2150 A.D."


  6. Re: ssh attacks

    Randy Yates writes:

    > Todd H. - I'd also like to hear your input on this since I've been
    > afraid to open up the port ever since you told me it wasn't a good
    > idea.


    When we were talking, the ssh configuration was in quite a state of
    mystery, not knowing what exactly we had running, etc, hence the level
    of caution.

    Assuming you stay on top of patches, and use a strong password (one
    that isn't based on a dictionary word in any language, uses a mix of
    letters, numbers, and punctuation, and is oh, 7 or more characters
    long), you should be fine.

    Running on an alternate port is a good idea as it will dramatically
    cut down the volume of logs you have to review.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  7. Re: ssh attacks

    "Todd H." typed:
    > Running on an alternate port is a good idea as it will dramatically
    > cut down the volume of logs you have to review.


    And in most cases, *completely*, as has been my experience.

    --
    Ayaz Ahmed Khan

    Then, gently touching my face, she hesitated for a moment as her
    incredible eyes poured forth into mine love, joy, pain, tragedy,
    acceptance, and peace. "'Bye for now," she said warmly.
    -- Thea Alexander, "2150 A.D."


  8. Re: ssh attacks

    Randy Yates wrote:
    > Hi Folks,
    >
    > Similar to another recent thread, "Options to block brute force attacks,"
    > I have become paranoid about leaving my ssh port open because I, too,
    > have noticed many connection attempts from unknown domains.
    >
    > If we presume that my password is at least moderately strong, then
    > how likely is it that any type of ssh attack will succeed? Is it
    > really unsafe to leave the ssh port open? I don't see how, since
    > large systems like NC State's computer systems allow ssh logins
    > 24/7.
    >
    > So I guess I'm asking what exactly are the threats, and how likely are
    > they to succeed? Also, of course, short of just closing the port, what
    > can I do to protect myself?


    Do you really need to use password authentication? Pubkey is much
    stronger. Also, I've set my ssh server to listen on a nonstandard port
    and have never seen even one breakin attempt in the year since I set it up.

  9. Re: ssh attacks

    Ayaz Ahmed Khan wrote:
    > "Todd H." typed:
    >> Running on an alternate port is a good idea as it will dramatically
    >> cut down the volume of logs you have to review.

    >
    > And in most cases, *completely*, as has been my experience.
    >


    Ditto

+ Reply to Thread