[rescue] SSH functionality ::WAS::::::::Re: Sun V240

Andrew M Hoerter amh at pobox.com
Wed Nov 1 17:31:05 CDT 2017

On 11/1/17 16:06, Jerry Kemp wrote:

> Regarding observing remote root login attempts, regardless of root being
> disabled, it is just the fact they are occurring.B  I would speculate
> that if you have just stuck your box out on the Internet, the (ssh)
> login attempts are probably low at the present.B  I have a (Solaris) box
> that is in a COLO for more than a decade (upgraded several times), and I
> am just continually being hit by random & continual ssh remote login
> attempts.
> [...]
> My big concern is that, due to numbers of hits, that properly managing
> and addressing events that do end up logged.B  I already mentioned that I
> use denyhost to limit dictionary attacks that hit hard and heavy.

Running ssh on a non-standard port is the easiest way to cut out 99% of
the logfile noise from bots and scanners.  In my experience, they don't
bother to check for alternate ports if 22 doesn't work.  Obviously, this
is no substitute for securely configuring SSH but it will make the more
determined attackers stand out in your logs.

If you're in the happy situation of knowing the valid client source
addresses in advance, you can also use a firewall to default-deny
incoming traffic to the ssh port and then allow only the those known hosts.

Finally, on the more complex end, you could implement a simple
authorization scheme that manipulates firewall rules on the fly.  In one
case, a webserver was running on the same machine already so I wrote a
simple CGI script whose URL was protected via required TLS certificate
authorization.  Clients hitting that URL with a valid cert would cause
their source IP to be added to a dynamic table connected to a firewall
pass rule for port 22 as well as IMAP.  After some time that entry would
time out and expire.

More information about the rescue mailing list