On 2018-07-02 11:25, Tobias Oetiker wrote:
Good Morning
are you running an ssh daemon on non standard ports to avoid some of the drive-by-scanning ? we have been doing that for quite some time now with great reduction of scanning noise ...
I suggest running SSH always behind white-list only firewalls.
That, and otherwise use a VPN to get in to a fixed-IP so that one is in the whitelist.
Providing an 'open over IPv6 only', or "SSH via Tor" is also a reasonable technique there.
If you have to run a jumpbox style host: For SSH, it is also heavily suggested to disable any form of password-auth, that way, only public key authentication is accepted and guess what the scanner scripts do not support as they do not have a key which thus makes guessing impossible...
for OpenSSH: UsePAM no PasswordAuthentication no ChallengeResponseAuthentication no
Do have working pubkeys on the box first :)
since yesterday this has changed ... we are getting a lot of connection attemptsĀ ...
are you seeing this too ? is someone actively looking for ssh across the whole port range or is this 'personal' ?
There are more and more "Internet scanning" services, especially since people realized the amount of data that Shodan shows, every company is having their own scanning boxes.
Next to that of course, there are thousands of kiddies running the default scripts just trying random username/passwords.
Whitelisting is the best trick in the toolchest.
Greets, Jeroen