Hi Folks,

Similar to another recent thread, "Options to block brute force attacks,"
I have become paranoid about leaving my ssh port open because I, too,
have noticed many connection attempts from unknown domains.

If we presume that my password is at least moderately strong, then
how likely is it that any type of ssh attack will succeed? Is it
really unsafe to leave the ssh port open? I don't see how, since
large systems like NC State's computer systems allow ssh logins
24/7.

So I guess I'm asking what exactly are the threats, and how likely are
they to succeed? Also, of course, short of just closing the port, what
can I do to protect myself?
--
% Randy Yates % "I met someone who looks alot like you,
%% Fuquay-Varina, NC % she does the things you do,
%%% 919-577-9882 % but she is an IBM."
%%%% <yates@ieee.org> % 'Yours Truly, 2095', *Time*, ELO
http://home.earthlink.net/~yatescr

Randy Yates wrote:

> Similar to another recent thread, "Options to block brute force attacks,"
> I have become paranoid about leaving my ssh port open because I, too,
> have noticed many connection attempts from unknown domains.
>
> If we presume that my password is at least moderately strong, then
> how likely is it that any type of ssh attack will succeed?

With a moderately strong password, very unlikely.

You can calculate the probablility of breaking a password (average
number of attempts) and calculate the time needed to reach that average
number. The larger the time the less likely an attacker will even keep
trying.

> Is it really unsafe to leave the ssh port open?

No.

> I don't see how, since large systems like NC State's computer systems
> allow ssh logins 24/7.
>
> So I guess I'm asking what exactly are the threats, and how likely are
> they to succeed?

The ones that succeed is mostly due to very weak passwords.

> Also, of course, short of just closing the port, what
> can I do to protect myself?

Use sshd options wisely. With AllowUsers/AllowGroups a system can be
made highly secure, just close all the "well known" accounts (if you
look at the sshd log, most attacks are not really dictionary attacks,
but go for a few well known account names; but don't let your guard
down, there are dictionary attacks), so you can make the attacker job
more complex: guess the user name and the password.

Regards.
--
René Berber

"René Berber" <rberber@mailandnews.com> writes:

> Randy Yates wrote:
>
>> Similar to another recent thread, "Options to block brute force attacks,"
>> I have become paranoid about leaving my ssh port open because I, too,
>> have noticed many connection attempts from unknown domains.
>>
>> If we presume that my password is at least moderately strong, then
>> how likely is it that any type of ssh attack will succeed?
>
> With a moderately strong password, very unlikely.
>
> You can calculate the probablility of breaking a password (average
> number of attempts) and calculate the time needed to reach that average
> number. The larger the time the less likely an attacker will even keep
> trying.
>
>> Is it really unsafe to leave the ssh port open?
>
> No.
>
>> I don't see how, since large systems like NC State's computer systems
>> allow ssh logins 24/7.
>>
>> So I guess I'm asking what exactly are the threats, and how likely are
>> they to succeed?
>
> The ones that succeed is mostly due to very weak passwords.
>
>> Also, of course, short of just closing the port, what
>> can I do to protect myself?
>
> Use sshd options wisely. With AllowUsers/AllowGroups a system can be
> made highly secure, just close all the "well known" accounts (if you
> look at the sshd log, most attacks are not really dictionary attacks,
> but go for a few well known account names; but don't let your guard
> down, there are dictionary attacks), so you can make the attacker job
> more complex: guess the user name and the password.
>
> Regards.
> --
> René Berber

Thanks René.

If, in addition to locking up common accounts like root from ssh, I
also used an alternate port, and again if my pasword was moderately
strong, how likely would it be to get hacked through sshd?
--
% Randy Yates % "Bird, on the wing,
%% Fuquay-Varina, NC % goes floating by
%%% 919-577-9882 % but there's a teardrop in his eye..."
%%%% <yates@ieee.org> % 'One Summer Dream', *Face The Music*, ELO
http://home.earthlink.net/~yatescr

Randy Yates <yates@ieee.org> writes:

> "René Berber" <rberber@mailandnews.com> writes:
>
>> Randy Yates wrote:
>>
>>> Similar to another recent thread, "Options to block brute force attacks,"
>>> I have become paranoid about leaving my ssh port open because I, too,
>>> have noticed many connection attempts from unknown domains.
>>>
>>> If we presume that my password is at least moderately strong, then
>>> how likely is it that any type of ssh attack will succeed?
>>
>> With a moderately strong password, very unlikely.
>>
>> You can calculate the probablility of breaking a password (average
>> number of attempts) and calculate the time needed to reach that average
>> number. The larger the time the less likely an attacker will even keep
>> trying.
>>
>>> Is it really unsafe to leave the ssh port open?
>>
>> No.
>>
>>> I don't see how, since large systems like NC State's computer systems
>>> allow ssh logins 24/7.
>>>
>>> So I guess I'm asking what exactly are the threats, and how likely are
>>> they to succeed?
>>
>> The ones that succeed is mostly due to very weak passwords.
>>
>>> Also, of course, short of just closing the port, what
>>> can I do to protect myself?
>>
>> Use sshd options wisely. With AllowUsers/AllowGroups a system can be
>> made highly secure, just close all the "well known" accounts (if you
>> look at the sshd log, most attacks are not really dictionary attacks,
>> but go for a few well known account names; but don't let your guard
>> down, there are dictionary attacks), so you can make the attacker job
>> more complex: guess the user name and the password.
>>
>> Regards.
>> --
>> René Berber
>
> Thanks René.
>
> If, in addition to locking up common accounts like root from ssh, I
> also used an alternate port, and again if my pasword was moderately
> strong, how likely would it be to get hacked through sshd?

Todd H. - I'd also like to hear your input on this since I've been
afraid to open up the port ever since you told me it wasn't a good
idea.
--
% Randy Yates % "The dreamer, the unwoken fool -
%% Fuquay-Varina, NC % in dreams, no pain will kiss the brow..."
%%% 919-577-9882 %
%%%% <yates@ieee.org> % 'Eldorado Overture', *Eldorado*, ELO
http://home.earthlink.net/~yatescr

"Randy Yates" typed:
> "René Berber" <rberber@mailandnews.com> writes:
>> Use sshd options wisely. With AllowUsers/AllowGroups a system can
>> be made highly secure, just close all the "well known" accounts (if
>> you look at the sshd log, most attacks are not really dictionary
>> attacks, but go for a few well known account names; but don't let
>> your guard down, there are dictionary attacks), so you can make the
>> attacker job more complex: guess the user name and the password.
>
> If, in addition to locking up common accounts like root from ssh, I
> also used an alternate port, and again if my pasword was moderately
> strong, how likely would it be to get hacked through sshd?

Substantially less likely. I *always* advocate using a different port
for SSH, as well as the various options SSHd supports (some of which
Rene Berber mentioned). One some systems I administrate, I know only
two or three people will be logging in from within fixed subnets, so I
restrict access to SSH at the firewall (but such a solution is not
feasible in most environments). I would, therefore, suggest moving SSH
to a different port and using SSHd options to your advantage.

--
Ayaz Ahmed Khan

Then, gently touching my face, she hesitated for a moment as her
incredible eyes poured forth into mine love, joy, pain, tragedy,
acceptance, and peace. "'Bye for now," she said warmly.
-- Thea Alexander, "2150 A.D."

Randy Yates <yates@ieee.org> writes:

> Todd H. - I'd also like to hear your input on this since I've been
> afraid to open up the port ever since you told me it wasn't a good
> idea.

When we were talking, the ssh configuration was in quite a state of
mystery, not knowing what exactly we had running, etc, hence the level
of caution.

Assuming you stay on top of patches, and use a strong password (one
that isn't based on a dictionary word in any language, uses a mix of
letters, numbers, and punctuation, and is oh, 7 or more characters
long), you should be fine.

Running on an alternate port is a good idea as it will dramatically
cut down the volume of logs you have to review.

Best Regards,
--
Todd H.
http://www.toddh.net/

"Todd H." typed:
> Running on an alternate port is a good idea as it will dramatically
> cut down the volume of logs you have to review.

And in most cases, *completely*, as has been my experience.

--
Ayaz Ahmed Khan

Then, gently touching my face, she hesitated for a moment as her
incredible eyes poured forth into mine love, joy, pain, tragedy,
acceptance, and peace. "'Bye for now," she said warmly.
-- Thea Alexander, "2150 A.D."

Randy Yates wrote:
> Hi Folks,
>
> Similar to another recent thread, "Options to block brute force attacks,"
> I have become paranoid about leaving my ssh port open because I, too,
> have noticed many connection attempts from unknown domains.
>
> If we presume that my password is at least moderately strong, then
> how likely is it that any type of ssh attack will succeed? Is it
> really unsafe to leave the ssh port open? I don't see how, since
> large systems like NC State's computer systems allow ssh logins
> 24/7.
>
> So I guess I'm asking what exactly are the threats, and how likely are
> they to succeed? Also, of course, short of just closing the port, what
> can I do to protect myself?

Do you really need to use password authentication? Pubkey is much
stronger. Also, I've set my ssh server to listen on a nonstandard port
and have never seen even one breakin attempt in the year since I set it up.

Ayaz Ahmed Khan wrote:
> "Todd H." typed:
>> Running on an alternate port is a good idea as it will dramatically
>> cut down the volume of logs you have to review.
>
> And in most cases, *completely*, as has been my experience.
>

Ditto