New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The only defense is multi-layered and employs multiple techniques.
That, plus monitoring/alerting.
Yes, you can do that.
But if I am to scan ports, I would rather scan
1 port/machine * 65,535,000 machines
than65535 ports/machine * 1,000 machines
.Most scanning behaviors are not targeted, and only try a few ports.
Not quite agree.
1:
This port can be opened without a privileged account, which means I can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords.
If sshd (root) has already occupied port 2222, non-priviledged software cannot kick sshd and listen to that port.
2:
is it a problem to have so many people banging at the front of your house?
Yes, it is.
For non-targeted scans, if port 22 is found to be open, further attack attempt is likely to happen; if not, seldom will they bother to attack.
That means, a machine with port 22 may receive 100 attack attempts per month, while a machine with port 24739 receives only one.
Given that other defending strength are the same, such probability does matter.
I admit that if you are targeted, changing port does not help at all.
Comment moved to own thread (Tutorial) here:
http://lowendtalk.com/discussion/24428/tutorial-iptables-geoip-port-knocking-and-port-scan-detection
I installed it and locked myself out when I forgot which port I moved my ssh to and had to run nmap. /s
nvm
@hwdsl2 I kid
Moving SSH to a different port has stopped all SSH brute force attacks I was seeing. I've noticed that some networks are scanned far more often than others, i.e. I see a lot more attacks against SingleHop IPs than other providers.
I know that changing the SSH port is "security through obscurity" and will not protect me against a determined attacker, however it does stop all the drive by attacks from scanner bots. I've been working on deploying CSF on all of my machines, my only complaint is that the built-in WebUI is awful. I've more than capable of managing CSF via SSH, however sometimes the WebUI is just more convenient.
The built-in WebUI just eats CPU while it's active, I need to see how CSF is interfaced with cPanel and Webmin to see if it's possible to use my own webserver instead of the built in LFD daemon.
im new to the low end box world and finding it very interesting.
ive configured iptables to only allow ssh access from my home and office IPs
ive also configured to not allow root to ssh directly.
one has webmin installed and the other whm dnsonly and ive configured those with the same ip retrictions...
one server is a backup dns so i definitely need DNS open on it and the other has no need to interact with anyone other than my own servers... are there other ports/applications i should be securing?
csf - lfd in ALL servers, fail2ban in VoIP servers
Also disable passwords altogether and use SSH keys for authentication