new SSH botnet

Concur: the NSA was helping US companies in industrial espionage.

And yes, as I said: In many cases, government and commerce work together, and in some countries government and criminals work together, and in some cases, multiple governments work together (famous example: five eyes). But also, in some cases governments spy on companies in their country too. I know two examples: government agency spies on company A, gives the results deliberately to company B (that's sort of getting help from the NSA in doing industrial espionage), but then the data leaks from company B to A, causing embarrassment to all involved. Another fun example (which I don't think is terribly well known publicly) is company X (which is located in a country that we'll call Elbonia) discovering that someone is trying to hack their internal corporate networks, figuring out that the hacker is the official Elbonian spy agency. The bizarre thing is: Company X is the biggest supplier of computer and networking gear to that spy agency!

Sometimes I think that the intelligence agencies are staffed only with complete fools (right out of Inspector Clouseau or Dilbert). Sometimes I think that they are staffed with geniuses, who can pull off amazing stunts. The people I've actually met who work there are all pretty hard-working, smart, honest, and neither idiots nor geniuses.

And you are completely correct: they all do it. The only countries that don't do much intelligence gathering are the ones that don't have the resources for it.
 
Crivens said:
Only the order of them might change. And yes, they ALL do this.
Click to expand...
The UK government doesn't do anything of that sort. They know that the entire industry (consisting exclusively of Apple and Microsoft) are so darn impenetrable and secure that hacking is deemed a legacy activity and only for "poor" countries.

Instead they prefer to spend their time (and the money from us plebs) leveraging smart phones and cloud storage as their entire digital security backbone. :)
 
Using a different port helps. It reduces the number of attacks (by several orders of magnitude), and makes it statistically unlikely that your ssh port will be cracked. It is not actually secure. But it has a really good cost/benefit ratio, so do it. Don't let the desire for the perfect stand in the way of accomplishing the good.
 
Mayhem30 said:
What about using a different listen port than 22? Lots of free ports are available.

Click to expand...

obfuscation is NOT equal to properly securing a service, which in case of sshd means NO PASSWORD BASED LOGINS!

But yes, using another port for ssh greatly reduces the noise floor. On 'high noise' IPs (e.g. cloud hosting) I usually also change the ssh port. On some machines I just run a honeypot on port 22 that simply collects IPs for blacklisting...
 
I really appreciate all the input!

On my production server, I've disabled password logins, use a 2048bit key and a non-standard SSH port.

Is that "good enough" or should I be doing something else as well?
 
"Good enough" depends on the value of your data, the risk to you of getting hacked, and the expected threat profile.

Scenario 1: Your system stores the target coordinates for conventional and nuclear bombing. If the data is released, we expect massive political upheaval, probably leading to thousands of people losing their lives. If your system is shut down, your country loses the ability to defend itself. Your adversaries are the best intelligence services on the planet.

Scenario 2: Your system contains only pictures of your kids that you took with your camera. All pictures are public, you serve them on a web server, so grandma can check out what her grandkids are doing. There is nothing secret on the server; if it gets shut down, the only damage is that grandma has to wait until it is brought back online, of you have to make printouts of the photos and send them to grandma in a letter. The only risk from hackers is that they might use your machine's resources for nefarious purposes (mine bitcoin, send spam e-mails, and so on). Since the value of an IP address and weak (virtual) CPU is very low, hackers are not interested in your machine.

For 1, your suggestion is absolutely not good enough: you need security guards with assault rifles, encrypted everything, thick concrete walls and ceilings, and similar stuff. For 2, it is total overkill; one of the three would have been sufficient.
 
ralphbsz said:
Since the value of an IP address and weak (virtual) CPU is very low, hackers are not interested in your machine.
Click to expand...

My machine is a little bit better than that, that's why I'd like to protect it.

I have my own dedicated server and it's powered by a Xeon E-2288G CPU, 32GB ram, 2x 500GB SSD (Raid 0). I also have 16 usable IPv4 addresses and /64 block for IPv6. I'm a PHP developer, and have 10+ years worth of work that is powering 3 websites - which includes a CMS I created from scratch (WordPress is bloatware).

Of course all my work is rsync'd to my home machine every 12 hours, but I would hate for my code to get leaked.
 
Have you set AllowUsers in sshd_config?

Not sure if you're asking just about ssh or overall security? Assume you've got firewall(s) in place. Checking logs of firewall, /var/log/messages/, /var/log/authlog to check nothing unexpected. Turn off unnecessary services, keep everything patched. RAID-0 is fast but don't you want something mirrored (but now definitely drifting off the topic of SSH!)
 
richardtoohey2 said:
Have you set AllowUsers in sshd_config?
Click to expand...

No, I do not! I wasn't aware that was an option (it's not listed the config file). However, I only have one user account and root login is already disabled. Is it still needed? In the /etc/passwd file, it looks like everything has /usr/sbin/nologin except root, toor, uucp, and acme.

richardtoohey2 said:
Not sure if you're asking just about ssh or overall security? Assume you've got firewall(s) in place.
Click to expand...

Yes, I'm using PF. I don't limit access to SSH for my IP address as it changes every 6 months or so (and I've already locked myself out once already). I have fiber gigabit internet at home, so I do have the option to pay an additional $5/month for a static IP but wasn't sure it was worth the cost.

richardtoohey2 said:
RAID-0 is fast but don't you want something mirrored
Click to expand...

Why is that? In the early days, I had a single HDD and it failed on me .. it wasn't fun getting everything back up and running.
 
My understanding is that RAID 0 is striped for performance so if one drive dies bye-bye data. A mirrored RAID level should be able to cope with one drive failure but at the cost of space and performance.

Not sure if the AllowUsers helps in your setup - it’s just one more barrier for someone to get through (they’ll need a valid username).
 
You must log in or register to reply here.
Back
Top