Den 05/10/2009 kl. 22.55 skrev Andrew Kuriger:
I agree its not a bad thing to have sshd running on a non-standard
port,
but just wait until the bot herder with 10,000 bots under his
control finds
out what port your running it under...
It's like spam filtering: at the time this actually becomes a problem,
we change tactics. It's not about finding the perfect solution, it's
about having a manageable log. My log is being spammed, and changing
the port solves that. "botnet-12-34-56-78.couldntcareless.mx tried to
log into your nonexistent oracle account" is not a very interesting
log message. Someone bruteforcing a valid non-trivial account name on
a non-standard port is, even though they will never succeed.
If your receiving 40,000 false logins a day, your either targeted, or
extremely popular and probably shouldn't be running sshd that is
accessible
via the internet anyways, aside from port knocking/VPN.
6 normal, very boring colo-servers here. 40.000 login attempts a day
per server on port 22 sounds about right - that's still almost nothing
translated to bandwidth. I use only key-based auth and the bots were
still trying, som I'm pretty sure it's just someone trying to
bruteforce every IP under the sun looking for low-hanging fruit. I
still need ssh access for normal admin work so disabling ssh is not an
option.
Erik
