Re: [LUG] Server got hacked

[Simon Avery <digdilem@xxxxxxxxx>]

On 25 November 2013 16:15, bad apple <mr.meowski@xxxxxxxx> wrote:

Simon, you'd probably be interested in this, if you haven't seen it already:

http://bsdly.blogspot.co.uk/2013/10/the-hail-mary-cloud-and-lessons-learned.html

Amongst other things, he points out that moving SSH ports is a waste of
time - if you can't lock down your SSH service properly in the first
place, a non-standard port isn't going to help!

I've personally seen countless attempts by botnets sniffing for SSH on
non-standard ports across my systems.

That's interesting, and clearly he's done more research than I. I ran kippo on a DMZ vm for a month or so, but there were zero attempts on non-port 22 by these bots.

My conclusions were based on a snapshot (until I got bored!) two and half years ago, so likely my advice /is/ outdated by now and concede my soapbox to anyone like yourself with more current knowledge!

I forgot one other thing in my list - restrict source IP on the port-forward rule in NAT. A luxury I can afford since I know I'll be coming from one of a few static IPs.  That's the main reason I don't have more useful stats on any production boxes.

My wibblings on the subject;

http://digdilem.org/?p=70
http://digdilem.org/?p=71

Incidentally, with a user of "root" and a cunning password of, wait for it, "root" - very few bots got through during this month. Enough for curiosity though.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq