| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by knyt 4348 days ago
	I've used Fail2Ban even with SSH password authentication turned off. It's still helpful for preventing huge error logs full of pointless password guesses. It's also useful for applications where you have to use passwords or where you need to allow anonymous requests but you don't want attackers using up all of your resources. VoIP (public-facing and handset-facing SIP) servers are my example of both of those situations.

1 comments

justizin 4348 days ago

right, anyone who has undergone frequent ssh brute force attacks knows that they can create a nontrivial amount of cpu usage.

link

atmosx 4348 days ago

Practically evert open 22 port receives a huge amount of scripted attacks these days.

link

jqm 4348 days ago

Which is why a port other than 22 is pretty good practice.

link

rlpb 4348 days ago

"There's No Protection In High Ports Anymore. If Indeed There Ever Was." http://bsdly.blogspot.co.uk/2013/02/theres-no-protection-in-...

link

nikatwork 4348 days ago

Unless the majority of ssh brute force attacks iterate over every port value, using a non-standard port would still have value in reducing the volume of attacks.

link

jimktrains2 4348 days ago

It's less protection and more just avoiding aimless attacks.

If someone's out to get you, then sure, they'll find the port.

If someone's out to just find any unlocked door, they'll just move on.

link

rtehfm 4348 days ago

Except when programs are designed for SSH to communicate on port 22. Security by obscurity is not good practice but other than that, yes, using a non standard SSH port will greatly reduce random drive by attempts.

link

atmosx 4348 days ago

Just configure the localhost to route the ssh connections over a different port. Combined with ssh keys an becomes extremely convenient setup e.g.:

    ~> cat .ssh/config
    ControlMaster auto
    ControlPath /tmp/%r@%h:%p
    ControlPersist yes

    Host hostname1
     IdentityFile ~/.ssh/id_rsa
     Hostname rem.hostname1.com
     Port 2290
     user user_name

Now you can things like:

    git clone ssh://username@hostname1/home/user/Code/repot.git

    scp file1.tar hostname1:/home/username && sftp hostname1

Which is pretty handy :-)

link

tadfisher 4348 days ago

The proper method of dealing with programs like that is to fix them or use other programs.

link

feld 4346 days ago

I changed my mail server to listen on port 26 and now I don't get spam anymore

link

nrr 4346 days ago

I imagine you don't get much of anything with your smtpd running on port 26. (:

LOL

indeed!

"stop coming to my house Internet, I just want to stay friends"

link