- Previous message: Dave Pooser: "Re: Customer-facing ACLs"
- Maybe in reply to: Justin Shore: "Customer-facing ACLs"
- Next in thread: Dave Pooser: "Re: Customer-facing ACLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Mark Foster (no email)
Date: Sat Mar 08 2008 - 02:44:23 EST
On Sat, 8 Mar 2008, Dave Pooser wrote:
>
>> Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
>> concern? I can only assume it's to stop clients exploited boxen being used
>> to anonymise further telnet/ssh attempts - but have to admit this
>> discussion is the first i've heard of it being done 'en masse'.
>
> On one test machine that I leave SSH unfirewalled on, I'll see 200-4000 SSH
> login attempts per day, trying to brute force it. Lets see, this morning in
> an eight-minute span from one IP in Aruba 100 attempts for root; other
> usernames attempted include admin, staff, sales, office, alias, stud (!),
> trash, guest, test, oracle, a few personal names, apache, svn, iraf, swsoft,
> gast, sirsi and nagios. And this is a relatively slow day.
>
> Telnet I wouldn't know about, but I'm told bots will try to force it as
> well.
Oh, there's plenty of names in one of my server logs too... looks almost
like they've gone through a name-choosing handbook.
I can understand the logic of dropping the port, but theres some
additional thought involved when looking at Port 22 - maybe i'm not
well-read enough, but the bots I've seen that are doing SSH scans, etc,
are not usually on Windows systems. I can figure them working on Linux,
MacOS systems - but surely the vast majority of 'vulnerable' hosts are
those running OS's coming from our favourite megacorp? Which typically
don't come shipped with neither SSH server nor SSH client... ?
To me, at least half the users likely to be running either Linux or Mac
are going to be the same users who're going to request they be allowed
outbound SSH.... is the blocking of outbound SSH considered to be
sufficiently useful that we're advocating it these days?
(Aren't we all just moving SSH to non-standard ports within our
networks anyway?)
... Mark.
|
|
|