Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Blocking bad sshd bruteforce attempt



One more thought on this. I recall reading a howto a while back (too lazy
to google it right now) that showed how to set-up a daemon on the target
machine to watch for SYN packets to some combination of ports in sequence
and *only then* would it open up a hole in the firewall.

For example, to connect to the machine you would try to open a connection
on ports 93, 56, and 111, in that order and within some finite time limit.
The ports in question would not respond, of course, but your firewall can
still pass the connect attempt to the waiting daemon (just log the packet
and drop it). When the daemon sees the correct combination, it would pass
a command to iptables to open the SSH port (which can still be on some
obscure high-numbered port).

This is still security by obscurity but... it's so incredibly obscure that
the probability of NMAP hitting this combination completely by accident is
microscopic. Even a complete port scan would not reveal your secret. If
you combine this with complete firewall blockage for random port scans on
other ports, you would also make it difficult to find the port combination
by trial-and-error.

I guess all this assumes you have something on the machine that's worth
going to all this trouble to protect and worth some hacker's time to get.
What you're seeing in you rlog is probably just someone looking for an
easy target so just choosing a strong password is probably good enough.

---
Joseph L (Joe) Larabell            Never fight with a dragon
http://larabell.org                     for thou art crunchy
                                  and goest well with cheese.


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links