[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

troy fryman at sonic.net
Thu Oct 7 14:47:55 PDT 2004 

On Thu, Oct 07, 2004 at 02:11:36PM -0700, Augie Schwer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 4 Oct 2004 13:25:32 -0700, troy <fryman at sonic.net> wrote:
> > I have a php script whose name is hopefully tough to guess sitting on my
> > webserver.  Its purpose is to write out a file with the ip address of
> > the person who hits that page.  Then, in /etc/hosts.allow I have:
> > sshd: 192.168.9.  #and so on, for ip's that I trust.
> > sshd: /path/to/ip.txt
> 
> Troy,
> 
> While it is unlikely; anyone paying attention (and sniffing the wire) would
> be able to figure out what was going on and add them selves to the list.
> 
> This seems to be akin to "Port Knocking" and security through obscurity.
> 
> Plus it doesn't look like you are removing old entries. So once you surf
> to your secret page and add your IP it stays there until you surf to it again
> and add another IP. So in the mean time the IP is a "good" IP.

That's a good point.  It's easy to do but I've been too lazy to expire the
IP.  Okay, fine:
9       *   *   *   *       > /path/to/ip.txt

Now the bad guys only get max of one hour.  (heh, at the expense of
really annoying 1/60th of the people who try and get in) A better way
would be to expire the IP after X minutes of inactivity.  I have people
who use winscp to transfer files, so the above really wouldn't be nice
to them.  It might also be handy to blacklist IP's after X failed
attempts.

> All an attacker would have to do is spoof or obtain the good IP during 
> your session or after you are done and they are allowed SSH access.

True, lets just hope with as many eyeballs that have seen the openssh
code, that it stays secure.  Oh, I'll bet you really ream me for that
one ;-)

> Like I said it is all very unlikely, but I would advise caution when
> trusting security through obscurity.

Yeah, I'd never "trust" that approach solely.  But as another layer in
the game, I'm cool with it.  And it sure keeps my logs quieter while
allowing clients and friends more convenient access (than a non-standard
port would).  I guess I don't have the aversion to STO that some do.

> P.S., I know Troy, and I know he is a bad ass, so none of the above is
> meant as any kind of personal attack; just an intellectual discussion.

Yes, this has definitely been a productive thread.  For instance I've
never bothered with the "AllowUsers" directive before.  Stupid not to,
but...  

I'm also re-thinking the idea of disabling password auth in favor of key
auth only.

-troy

More information about the talk mailing list