From: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
To: Willy Tarreau <w@1wt.eu>
Cc: Steven Rostedt <rostedt@goodmis.org>,
David Miller <davem@davemloft.net>,
greg@kroah.com, linux-kernel@vger.kernel.org
Subject: Re: kernel.org status: hints on how to check your machine for intrusion
Date: Sat, 1 Oct 2011 18:23:21 -0300 [thread overview]
Message-ID: <20111001212321.GE23355@khazad-dum.debian.net> (raw)
In-Reply-To: <20111001183448.GD18690@1wt.eu>
On Sat, 01 Oct 2011, Willy Tarreau wrote:
> > > I haven't allowed sshd to run on port 22 in more than 10 years.
> >
> > I use to do that a long time ago, but I ran into issues because of it.
...
> 443 is pretty nice for connecting from unexpected places ;-)
The better IPS/IDS-protected corporate networks are likely to get annoyed by
SSH signatures showing up on unexpected flows. Such networks typically will
also object to non-SSL flows of any sort over port 443.
YMMV.
> > I probably can go back to a non 22 port without much issue. I have added
> > a bunch of personal checks to this box that gives a report every day. I
> > may add more (from what was posted in this thread already). I also have
> > logwatch and rkhunter running, and just added chkrootkit now.
> >
> > But moving the ssh port again may be a good idea. But I like stressing
> > your net filtering code ;)
>
> BTW ipset is particularly suited for this.
And fail2ban is a ready-made solution to firewall anything that is loitering
around. It is quite popular, so it is likely already packaged by the
distro.
There is no reason to move SSH from port 22, it is just plain safer to use
port-knocking if you want it unreachable most of the time. You should also
avoid password-guessing attacks entirely (some botnets can do distributed
low-speed password guessing attacks, I've seen it happen at work) by always
requiring pubkey auth as one of the credentials.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
next prev parent reply other threads:[~2011-10-01 21:23 UTC|newest]
Thread overview: 188+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-30 23:50 kernel.org status: establishing a PGP web of trust H. Peter Anvin
2011-09-30 23:59 ` kernel.org status: hints on how to check your machine for intrusion Greg KH
2011-10-01 1:15 ` David Miller
2011-10-01 4:54 ` Greg KH
2011-10-01 7:35 ` Willy Tarreau
2011-10-01 14:07 ` Greg KH
2011-10-01 18:06 ` Steven Rostedt
2011-10-01 18:13 ` David Miller
2011-10-01 18:29 ` Steven Rostedt
2011-10-01 18:34 ` Willy Tarreau
2011-10-01 21:23 ` Henrique de Moraes Holschuh [this message]
2011-10-01 21:30 ` Henrique de Moraes Holschuh
2011-10-03 9:28 ` Maarten Lankhorst
2011-10-01 18:40 ` Steven Rostedt
2011-10-01 18:45 ` Steven Rostedt
2011-10-03 9:47 ` gmack
2011-10-01 22:06 ` Frank A. Kingswood
2011-10-03 9:49 ` gmack
2011-10-01 14:17 ` akwatts
2011-10-01 14:28 ` Greg KH
2011-10-01 16:29 ` Andy
2011-10-01 16:56 ` Willy Tarreau
2011-10-01 17:19 ` Andy
2011-10-01 17:54 ` Andreas Schwab
2011-10-01 22:32 ` H. Peter Anvin
2011-10-01 17:54 ` Willy Tarreau
2011-10-01 18:40 ` Andy
2011-10-01 19:06 ` Willy Tarreau
2011-10-01 19:24 ` Greg KH
2011-10-01 20:07 ` Willy Tarreau
2011-10-01 20:29 ` Andreas Schwab
2011-10-01 20:32 ` Willy Tarreau
2011-10-01 20:24 ` Andy
2011-10-01 22:43 ` Willy Tarreau
2011-10-02 0:10 ` H. Peter Anvin
2011-10-02 5:35 ` Willy Tarreau
2011-10-02 1:58 ` tmhikaru
2011-10-02 2:26 ` Greg KH
2011-10-02 3:30 ` Andy
2011-10-02 4:39 ` Greg KH
2011-10-02 6:59 ` Willy Tarreau
2011-10-02 12:03 ` Andy
2011-10-02 18:27 ` Willy Tarreau
2011-10-11 1:16 ` Andrew Watts
2011-10-02 3:31 ` tmhikaru
2011-10-07 9:28 ` Andrea Arcangeli
2011-10-13 2:34 ` Re " Matthew W.S. Bell
2011-10-13 10:59 ` Matthew W.S. Bell
2011-10-18 15:13 ` Jean Delvare
2011-10-18 15:21 ` Greg KH
2011-10-18 16:08 ` Jean Delvare
2011-10-01 14:05 ` kernel.org status: establishing a PGP web of trust Greg KH
2011-10-01 22:07 ` Rafael J. Wysocki
2011-10-01 22:26 ` Greg KH
2011-10-02 23:02 ` Nobuhiro Iwamatsu
2011-10-02 23:09 ` Greg KH
2011-10-03 9:14 ` Steven Rostedt
2011-10-03 14:13 ` Greg KH
2011-10-03 15:09 ` Steven Rostedt
2011-10-01 21:33 ` Rafael J. Wysocki
2011-10-01 22:27 ` H. Peter Anvin
2011-10-01 22:36 ` Randy Dunlap
2011-10-01 22:52 ` Ted Ts'o
2011-10-02 1:04 ` Rafael J. Wysocki
2011-10-02 1:04 ` H. Peter Anvin
2011-10-02 11:54 ` Rafael J. Wysocki
2011-10-02 17:53 ` H. Peter Anvin
2011-10-02 18:14 ` Rafael J. Wysocki
2011-10-02 18:19 ` H. Peter Anvin
2011-10-02 18:39 ` Willy Tarreau
2011-10-02 19:02 ` H. Peter Anvin
2011-10-02 19:24 ` Willy Tarreau
2011-10-02 19:29 ` Rafael J. Wysocki
2011-10-02 18:24 ` Henrique de Moraes Holschuh
2011-10-02 18:31 ` H. Peter Anvin
2011-10-02 19:31 ` Rafael J. Wysocki
2011-10-02 20:42 ` Henrique de Moraes Holschuh
2011-10-03 9:32 ` Adrian Bunk
2011-10-03 16:28 ` Frank Ch. Eigler
2011-10-03 18:04 ` Adrian Bunk
2011-10-04 20:29 ` Valdis.Kletnieks
2011-10-04 22:39 ` Adrian Bunk
2011-10-04 23:17 ` Frank Ch. Eigler
2011-10-05 4:37 ` Valdis.Kletnieks
2011-10-05 7:54 ` Adrian Bunk
2011-10-05 17:06 ` Ted Ts'o
2011-10-05 19:23 ` Adrian Bunk
2011-10-05 19:50 ` Adrian Bunk
2011-10-05 20:09 ` Greg KH
2011-10-05 21:25 ` Adrian Bunk
2011-10-05 23:47 ` Ted Ts'o
2011-10-06 7:16 ` Adrian Bunk
2011-10-05 23:57 ` Thomas Gleixner
2011-10-06 0:07 ` Jeremy Fitzhardinge
2011-10-06 0:18 ` Chris Friesen
2011-10-06 7:30 ` Thomas Gleixner
2011-10-06 17:19 ` Valdis.Kletnieks
2011-10-06 8:04 ` Adrian Bunk
2011-10-06 10:22 ` Thomas Gleixner
2011-10-06 11:10 ` Adrian Bunk
2011-10-06 11:05 ` Josh Boyer
2011-10-06 11:19 ` Adrian Bunk
2011-10-05 4:23 ` Valdis.Kletnieks
2011-10-05 20:00 ` Arnaud Lacombe
2011-10-05 20:19 ` Adrian Bunk
2011-10-05 20:36 ` Arnaud Lacombe
2011-10-05 23:55 ` Greg KH
2011-10-06 0:23 ` Arnaud Lacombe
2011-10-06 0:50 ` Arnaud Lacombe
2011-10-06 5:25 ` Greg KH
2011-10-06 13:44 ` Valdis.Kletnieks
2011-10-06 14:43 ` Arnaud Lacombe
2011-10-06 10:05 ` Alan Cox
2011-10-06 17:05 ` Krzysztof Halasa
2011-10-06 15:58 ` Jon Masters
2011-10-06 17:39 ` Mark Brown
2011-10-06 17:45 ` Krzysztof Halasa
2011-10-06 17:52 ` Mark Brown
2011-10-06 17:48 ` Greg KH
2011-10-06 18:08 ` H. Peter Anvin
2011-10-06 18:14 ` H. Peter Anvin
2011-10-06 19:50 ` Valdis.Kletnieks
2011-10-06 22:16 ` Krzysztof Halasa
2011-10-07 16:29 ` Valdis.Kletnieks
2011-10-07 16:59 ` Greg KH
2011-10-07 16:59 ` Arnaud Lacombe
2011-10-07 18:22 ` Valdis.Kletnieks
2011-10-08 5:02 ` Jon Masters
2011-10-08 14:36 ` Valdis.Kletnieks
2011-10-08 15:28 ` Geert Uytterhoeven
2011-10-08 15:48 ` Krzysztof Halasa
2011-10-08 17:59 ` Jon Masters
2011-10-08 21:06 ` Krzysztof Halasa
2011-10-08 21:09 ` H. Peter Anvin
2011-10-09 3:01 ` Jon Masters
2011-10-08 15:44 ` Krzysztof Halasa
2011-10-08 15:16 ` Krzysztof Halasa
2011-10-05 19:43 ` Arnaud Lacombe
2011-10-02 18:36 ` Randy Dunlap
2011-10-02 22:46 ` Valdis.Kletnieks
2011-10-02 23:16 ` Josh Boyer
2011-10-03 0:24 ` H. Peter Anvin
2011-10-02 22:54 ` Guenter Roeck
2011-10-02 22:58 ` H. Peter Anvin
2011-10-02 23:23 ` Olof Johansson
2011-10-02 23:27 ` H. Peter Anvin
2011-10-03 0:44 ` Jeremy Fitzhardinge
2011-10-03 1:00 ` Dmitry Torokhov
2011-10-03 1:00 ` Guenter Roeck
2011-10-03 1:09 ` Ted Ts'o
2011-10-03 1:21 ` Jeremy Fitzhardinge
2011-10-03 1:22 ` H. Peter Anvin
2011-10-03 1:42 ` Andrew Morton
2011-10-03 1:43 ` H. Peter Anvin
2011-10-03 3:15 ` Geoff Levand
2011-10-03 3:29 ` Ted Ts'o
2011-10-03 3:38 ` Dmitry Torokhov
2011-10-03 3:54 ` Ted Ts'o
2011-10-03 4:02 ` Andrew Morton
2011-10-03 4:33 ` Ted Ts'o
2011-10-03 0:43 ` Lee Mathers
2011-10-03 9:53 ` Jonathan Cameron
2011-10-04 22:34 ` Ralf Baechle
2011-10-05 19:12 ` Maciej W. Rozycki
2011-10-06 13:27 ` Cambridge, UK key signing meeting. Thursday 13th Oct Jonathan Cameron
2011-10-11 16:33 ` Jonathan Cameron
2011-10-02 18:20 ` kernel.org status: establishing a PGP web of trust Henrique de Moraes Holschuh
2011-10-03 1:18 ` Ben Pfaff
2011-10-03 1:49 ` H. Peter Anvin
2011-10-03 11:19 ` Jiri Kosina
2011-10-03 22:56 ` Josh Triplett
2011-10-04 4:49 ` Ted Ts'o
2011-10-04 4:52 ` H. Peter Anvin
2011-10-04 5:11 ` Ted Ts'o
2011-10-04 16:37 ` H. Peter Anvin
2011-10-04 7:15 ` Jiri Kosina
2011-10-04 19:23 ` Rafael J. Wysocki
2011-10-06 3:14 ` John Johansen
2011-10-06 4:49 ` hpanvin@gmail.com
2011-10-04 12:51 ` Heiko Carstens
2011-10-04 22:02 ` Jiri Kosina
2011-10-04 22:04 ` H. Peter Anvin
2011-10-05 0:27 ` Henrique de Moraes Holschuh
2011-10-03 17:50 ` Adrian Bunk
2011-10-06 18:22 ` Krzysztof Halasa
2011-10-06 18:31 ` Rafael J. Wysocki
2011-10-06 21:19 ` [Warsaw Poland] " Krzysztof Halasa
2011-10-06 21:37 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111001212321.GE23355@khazad-dum.debian.net \
--to=hmh@hmh.eng.br \
--cc=davem@davemloft.net \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox