Thursday, September 16, 2010

Thoughtless Dogmatic Adherence

FLG has an SSH server at his house. He's mention this before. Anyway, he read this page, SSH Password Authentication: Threats and Countermeasures with much interest because, well, he doesn't want his ssh server hacked. He was extremely disappointed with this paragraph:
The default TCP port used by SSH is 22. It is understandable therefore that practically all anonymous SSH brute force attempts are only targeting TCP port 22. While we do not generally consider running the service on an alternative port a reliable measure to enhance SSH password authentication security long-term, it can offer some limited protection. We consider this a short term hack and ideally a site with a sound security posture would not need to change this option.

Read that again, if you need to. Practically all anonymous SSH brute force attempts are only targeting TCP port 22, BUT they don't consider running SSH on another port a reliable measure of protection. This, put simply, is fucking poppycock.

FLG is pretty sure he knows what happened. A bunch of long-haired, fat fucks got together in a room with a case of Mounatin Dew. After somebody mentioned he didn't see any attempts on the server he is running on some port other than 22, another guy who looks and sounds like the Comic Book Store guy from The Simpsons said, "That's security through obscurity, which is no security at all." Most of the time, that's true, but it's wrong here.

Yes, it is security through obscurity. And if somebody is deliberately trying to target my server, then moving SSH to another port would delay them precisely the amount of time it takes to run an Nmap scan. But these brute force attacks aren't directed at me specifically. So, I'm safe.

Now, these brute force people could easily write a script that runs a port scan, looks for SSH running on another port, and then tries to brute force. But that takes time. Time that is precious. There are a gazillion devices on the Internet. Scanning everyone of them because some people may have moved SSH to another port just doesn't hold when doing a rudimentary cost-benefit analysis.

If you aren't protecting 30 billion in gold, then you don't need to worry that you don't have Ft. Knox. You just have to be more secure than the house next door. In this case, switching to another port does that.

This isn't to say that FLG didn't take other precautions. He has a strong password, has limited access to SSH so that it can only be done from his work, and a variety of other things. But to tell you the truth, switching to another port is all that was needed to stop ALL the brute force attacks on his machine. He's checked the logs and has never seen a single one since he moved from port 22.

FLG really wishes people would think instead of just repeating mindless tropes.

No comments:

Creative Commons License
This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.