lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111001212321.GE23355@khazad-dum.debian.net>
Date:	Sat, 1 Oct 2011 18:23:21 -0300
From:	Henrique de Moraes Holschuh <hmh@....eng.br>
To:	Willy Tarreau <w@....eu>
Cc:	Steven Rostedt <rostedt@...dmis.org>,
	David Miller <davem@...emloft.net>, greg@...ah.com,
	linux-kernel@...r.kernel.org
Subject: Re: kernel.org status: hints on how to check your machine for
 intrusion

On Sat, 01 Oct 2011, Willy Tarreau wrote:
> > > I haven't allowed sshd to run on port 22 in more than 10 years.
> > 
> > I use to do that a long time ago, but I ran into issues because of it.

...

> 443 is pretty nice for connecting from unexpected places ;-)

The better IPS/IDS-protected corporate networks are likely to get annoyed by
SSH signatures showing up on unexpected flows.  Such networks typically will
also object to non-SSL flows of any sort over port 443.

YMMV.

> > I probably can go back to a non 22 port without much issue. I have added
> > a bunch of personal checks to this box that gives a report every day. I
> > may add more (from what was posted in this thread already). I also have
> > logwatch and rkhunter running, and just added chkrootkit now.
> > 
> > But moving the ssh port again may be a good idea. But I like stressing
> > your net filtering code ;)
> 
> BTW ipset is particularly suited for this.

And fail2ban is a ready-made solution to firewall anything that is loitering
around.  It is quite popular, so it is likely already packaged by the
distro.

There is no reason to move SSH from port 22, it is just plain safer to use
port-knocking if you want it unreachable most of the time.  You should also
avoid password-guessing attacks entirely (some botnets can do distributed
low-speed password guessing attacks, I've seen it happen at work) by always
requiring pubkey auth as one of the credentials.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ