> I can understand the logic of dropping the port, but theres some > additional thought involved when looking at Port 22 - maybe i'm not > well-read enough, but the bots I've seen that are doing SSH scans, etc, > are not usually on Windows systems. I can figure them working on Linux, > MacOS systems - but surely the vast majority of 'vulnerable' hosts are > those running OS's coming from our favourite megacorp? Which typically > don't come shipped with neither SSH server nor SSH client... ?
They typically don't ship with an SMTP server either. Considering that my preferred SSH client for Windows weighs in as a single 412k .exe, I'd imagine that bot designers are just writing their own SSH clients for brute-forcing. > To me, at least half the users likely to be running either Linux or Mac > are going to be the same users who're going to request they be allowed > outbound SSH.... is the blocking of outbound SSH considered to be > sufficiently useful that we're advocating it these days? Half the Mac users? You think? I know a dozen or so sysadmins who use Macs, and about a hundred users who wouldn't know SSH from PCP; I think that's probably a slightly skewed sample considering I'm a Mac geek who hangs around with Mac geeks, and I'd guess the consumer users are a larger percentage of the real-life population. I'd expect the number of folks who want SSH unblocked to be under 1% of a consumer broadband network, and probably closer to 0.1% or so. And again, it ought to be trivial to let your users unblock the system, either via phone call or via self-service Web page (though in the latter case you'd better use a captcha or something so the bot doesn't automatically unblock itself). -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
