Re: [swinog] are you also seeing more ssh attacks ?

-- Manuel Schweizer cloudscale.ch AG Venusstrasse 29 CH-8050 Zürich Fon: +41 44 55 222 55 Fax: +41 44 55 222 56 Web: https://www.cloudscale.ch > On 2 Jul 2018, at 11:42, Jeroen Massar jeroen@massar.ch wrote: > > On 2018-07-02 11:25, Tobias Oetiker wrote: >> Good Morning >> >> are you running an ssh daemon on non standard ports to avoid some of the >> drive-by-scanning ? we have been doing that for quite some time now with >> great reduction of scanning noise ... > > I suggest running SSH always behind white-list only firewalls. > > That, and otherwise use a VPN to get in to a fixed-IP so that one is in > the whitelist. > > Providing an 'open over IPv6 only', or "SSH via Tor" is also a > reasonable technique there. > > > If you have to run a jumpbox style host: For SSH, it is also heavily > suggested to disable any form of password-auth, that way, only public > key authentication is accepted and guess what the scanner scripts do not > support as they do not have a key which thus makes guessing impossible... > > for OpenSSH: > UsePAM no > PasswordAuthentication no > ChallengeResponseAuthentication no > > Do have working pubkeys on the box first :) > > >> since yesterday this has changed >> ... we are getting a lot of connection attempts ... >> >> are you seeing this too ? is someone actively looking for ssh across the >> whole port range or is this 'personal' ? > > There are more and more "Internet scanning" services, especially since > people realized the amount of data that Shodan shows, every company is > having their own scanning boxes. > > Next to that of course, there are thousands of kiddies running the > default scripts just trying random username/passwords. > > Whitelisting is the best trick in the toolchest. > > Greets, > Jeroen > > > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog