[SGVLUG] Who is that knocking on my ports?

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Tue Jan 13 12:44:21 PST 2009 

> -----Original Message----- Of Sean O'Donnell

> The good thing about nmap'ing-back, is it sometimes reveals 
> whether or not the machine is a proxy server being hijacked 
> remotely by the attacker, or if it's the attacker's machine 
> directly. I've found often it appears to be hijacked Russian 
> and Chinese proxy systems.

In other words, far less chance the ISP would do anything about it even
if reported :(

> There are quite a number of "bots" that run 24/7 trying to 
> brute-force crack SSH server accounts, and alot of the time, 
> they too run on these hijacked machines, either through some 
> IRC botnet, or some other automated (XSS-injected) script.

I remember reading an article by the guy that wrote "spinrite" about how
he was being dDOS'd and essentially worked his way into the zombie-net
that was attacking him -- that might even be a better solution: turn
their own soldiers against themselves [i.e., get the existing "bots" to
pingflood each other or some such...]
 
> When configuring an SSH Server, the 1st thing should always 
> be disabling 'root' login access, and run sshd on a 
> non-standard port. Most of the "bots" that run autonomously 
> (usually) only attack port 22, therefor are easily defeated.

I thought the point of using ssh in the first place would be that it is
secure enough for "root" logins from remote locations [about the only
reason I'd log in remotely for this system to begin with -- all other
access is application stuff (e-mail and web) and if that is "not
working", I need to log in to figure out why.]

I could, I suppose, notch up the security requirement for ssh and not
allow keyboard authentication - only allow smartcard or private-key
authentication - that would be a bit harder to brute-force, I'd imagine.

I used to have ssh on a non-standard port when coming from the "outside"
-- I was port-forwarding from my firewall, however my firewall machine
was getting a bit long in the tooth, so I bought one of the linksys
wrt54gl wireless routers at frys the other day (the linux version) but
the gui/web "admin" pages don't seem to have that feature available
[though it might -- the "description" of one of the configuration pages
is a bit confusing, and I think it *is* the page I'm looking for]  In
any case, my hand-built firewall was getting [and tossing] ssh attempts
(blind attacks) already, so changing the port only changes which system
logs the attempt...

More information about the SGVLUG mailing list