[rescue] SSH functionality ::WAS::::::::Re: Sun V240

Jonathan Patschke jp at celestrion.net
Wed Nov 1 18:40:55 CDT 2017

On Wed, 1 Nov 2017, Andrew M Hoerter wrote:

> Running ssh on a non-standard port is the easiest way to cut out 99% of
> the logfile noise from bots and scanners.  In my experience, they don't
> bother to check for alternate ports if 22 doesn't work.

It's the easiest, but the least fun.

I use rate-limiting in pf to automatically mark hosts that spam
interesting ports.  Those hosts, once marked, spend an hour or so in a pf
table that sends their ssh traffic somewhere harmless.

I also have a cron job that looks for bad ssh authentication and updates a
separate pf table for diverting that ssh traffic somewhere harmless.

This method is more useful to me than libwrap because of the diversion
aspect and because my system accumulates data about interesting attacks
over time.  Also, because there exist honeypot daemons to serve as the
destination for potentially-harmful traffic.

Spammers (and IMAP password-scanners), in particular, get sent to daemons
that look somewhat like SMTP and IMAP, but only respond to commands with
rude messages sent barely fast enough to avoid timing the connection out.

Someday I'd like to work on making those daemons maliciously non-compliant
in the hopes of tripping up up the zombies.  Or maybe serving up via IMAP
(open to any credentials at all) all the spam malware I've ever gotten
would be sufficient.

> If you're in the happy situation of knowing the valid client source
> addresses in advance, you can also use a firewall to default-deny
> incoming traffic to the ssh port and then allow only the those known
> hosts.

Strict whitelisting was great in the days before so many mobile devices.
I'd always intended to close off _everything_ except an OpenVPN
connection, but that quickly proved impractical.

> Finally, on the more complex end, you could implement a simple
> authorization scheme that manipulates firewall rules on the fly.  In one
> case, a webserver was running on the same machine already so I wrote a
> simple CGI script whose URL was protected via required TLS certificate
> authorization.  Clients hitting that URL with a valid cert would cause
> their source IP to be added to a dynamic table connected to a firewall
> pass rule for port 22 as well as IMAP.  After some time that entry would
> time out and expire.

That's a pretty elegant solution, to be honest.

Jonathan Patschke
Austin, TX

More information about the rescue mailing list