Re: [LUG] Why you should not have ssh on port 22.

On 9 February 2015 at 20:46, bad apple <mr.meowski@xxxxxxxx> wrote:

On 09/02/15 20:00, Simon Avery wrote:
> I've mentioned this a few times already and I still think it's one of
> the most basic and effective things you can and should do if you have a
> linux server exposed to the internet, yet one of the most overlooked.

Oh no, not this again...

'Fraid so!

If you say that again highlighting a security issue that is well known for being successfully exploited and bringing it into discussion exactly as we are here (right or wrong) is a waste of time then, my old friend, you and I will be having a falling out..Â Security /should/ be discussed openly, frequently and actively - and disagreed with and argued about. Through that process comes understanding, if only of another's point of view.

I'm afraid I'm going to have to (respectfully) disagree with you on
this: let me explain.

I love a disagreement.

Firstly this is stupid because it's security through obscurity, thus an

Security through obscurity is security. That's pat and glib but there's a grain of truth in it, and a large number of recent exploits of open source software were discovered through source code - not through attacking a binary. Whilst this is at risk of going off-topic, security through disclosure (OSS) is not always that secure. One can argue successfully that disclosing the source code encourages improvement and peer review, but the facts bourne out by the flurry of high profile exploits over the past couple of years that have kept us all patching madly, are that peer review is rarely done until there's cause for it, and specific security auditing so specialised that it's hardly done at all.

So S-T-O is not stupid in this case because the tools used to bruteforce ssh are (so far, AFAICT) restricting themselves to a specific port. This is evidence based learning and subject to change.

<snip>

And that's it, no drama. Lame automated botnet scans can continue
bouncing off my network all day long and I couldn't care less. And as

I don't actually disagree with that, and obviously that's all good advice too. Your way /is/ better - but not realistically achievable for many.

for logging, well, disk space is plentiful and cheap and I love logs,

the more the merrier. They all get sent to a centralised rsyslog server
by the tens of thousands which I can then make pretty graphs out of for

My advice wasn't meant for a super admin with thousands of machines, I doubt there's much I could teach you - and whilst you will doubtless claim that anyone with a single server on the internet should have all the security and systems in place that you do, that isn't really very likely, is it?Â This is a LUG with a wide range of skillsets.Â

How much time did it take you to set up this system that you describe?

Now multiply that for somebody without your awesome experience and admin skills, allowing for their research and mistakes (and hoping those mistakes don't worsen the situation).

Then allow for the fact that they probably don't do this for a living (I certainly can't claim to any more) and try and be a little more understanding that a simple one line config change such as I describe WILL make you more secure on a practical level.

The most stupid thing about this is the botnet scans will find your
random SSH port before too long, and then your IP and SSH port go into

Not yet. I do check such things now and then and yes, there's the odd knock, but not 1 a second. More like 1 a week.Â

their database and now everyone in China knows your secret. So what are
you going to do? Change it again? That's going to get really annoying

Whilst I don't doubt they do collaborate to some extent, it's not sense to share a resource for nothing. This is business.Â

And if changing port from 22 was the /only/ thing done, then yes, it wouldn't be much of a guard - but as part of a strategy, I maintain it's useful to do to lower the resources sucked up by Johnny Foreigner and his malware kit of doom.

really quickly. I also don't fancy maintaining a massive lookup table to
keep track of which random port SSH is running on each of my thousands
of servers in the wild.

Like I said - not intended for somebody who has an army at their disposal. Â

(BTW, the main reason of my original post was: OMG - that many?!)