[HECnet] Telnet/SSH attacks

[Sampsa Laine]

On 26 Nov 2013, at 22:56, "Brian Schenkenberger, VAXman-" <system at TMESIS.COM> wrote:

Dennis Boone <drb at msu.edu> writes:

Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?

It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)

Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports.   The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.

I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.

Stupid!   Disable TELNET for anything but your local net.   You do NOT want
plain text sent over the internet!

As for SSH, moving it off of port 22 seems to quiet things down.   Use one
of the port numbers in the ephemeral range like 22222.   Of course, you'll
need to tell your ssh client that you're using a different port using the 
-p option.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker       VAXman(at)TMESIS(dot)ORG

Well I speak to machines with the voice of humanity.


I agree with both points for production "real" boxes, SSH in pubkey mode on random port, no telnet. 

But for public access hobby systems that significantly increases the barrier to entry for new users. I run SSH but in pubkey mode only, Telnet is used by the vast majority of my users, these are hobby system, I haven't had any complaints.