[geeks] SSH Scans Increasing
Sheldon T. Hall
shel at artell.net
Thu Aug 21 07:39:30 CDT 2008
Phil Stracchino said ...
> I haven't seen it. But then, I got so sick of ssh-dictionary-scanning
> scriptkiddies filling up my logs day after day, week after week, month
> after month, and have so few non-local users, that I implemented a
> whitelist-only pf rule for SSH and FTP connections.
>
> Currently I'm pondering the best means to allow users with existing
> accounts and known SSH keys to remotely authorize new IPs for
> themselves.
I got tired of the script-kiddies, too. I contemplated moving the SSH
service to a non-standard port, but this complicated access for one of my
primary remote-access users, so I couldn't. I whitelisted the secure
network he'd be calling from, and, for everyone else, I set up a kind of
ghetto portknocking arrangement. You'd hit a particular high-numbered port,
which grabbed your IP address but didn't reply, and a script kicked off by
the connection would put that IP address in the whitelist for the SSH port.
It was a bit of "security by obscurity" but it worked great.
-Shel
More information about the geeks
mailing list