SSH is a good oldie for sure. However, it seems to
be increasingly unfit for the modern realities. There
are not many straight-up ways to detect/intercept
aggressive attackers. It was writ for a "kinder,
gentler" IP universe where distributed attacks did
not exist. Coping with such threats really, badly,
needs to be very straight-up and incorporate at least
a little "AI" sensibility that can maybe "just tell"
an aggressor from an ordinary client.

And no, I don't mean "add a few features to SSH",
I mean REPLACE it entirely with a clean new
solution. Too much feature-creep on old apps
is never a good idea.

"26C.Z969" <26C.Z969@noaada.net> writes:
> SSH is a good oldie for sure. However, it seems to be increasingly
> unfit for the modern realities. There are not many straight-up ways to
> detect/intercept aggressive attackers.

What do you think it’s failing to do? Disable password authentication
and nobody’s getting in without an authorized private key.

> It was writ for a "kinder, gentler" IP universe where distributed
> attacks did not exist. Coping with such threats really, badly, needs
> to be very straight-up and incorporate at least a little "AI"
> sensibility that can maybe "just tell" an aggressor from an ordinary
> client.

Not much intelligence needed, anything that gets more than a handful of
password authentication error is an attacker and gets added to my
‘block’ ipset.

--
http://www.greenend.org.uk/rjk/

On 15/12/2022 08:39, Richard Kettlewell wrote:
> "26C.Z969" <26C.Z969@noaada.net> writes:
>> SSH is a good oldie for sure. However, it seems to be increasingly
>> unfit for the modern realities. There are not many straight-up ways to
>> detect/intercept aggressive attackers.
>
> What do you think it’s failing to do? Disable password authentication
> and nobody’s getting in without an authorized private key.
>
>> It was writ for a "kinder, gentler" IP universe where distributed
>> attacks did not exist. Coping with such threats really, badly, needs
>> to be very straight-up and incorporate at least a little "AI"
>> sensibility that can maybe "just tell" an aggressor from an ordinary
>> client.
>
> Not much intelligence needed, anything that gets more than a handful of
> password authentication error is an attacker and gets added to my
> ‘block’ ipset.
>
Just hope it wasn't from some public wifi dynamic address that you might
want to use in future :-)

--
It’s easier to fool people than to convince them that they have been fooled.
Mark Twain

On Thu, 15 Dec 2022 01:52:41 -0500, 26C.Z969 wrote:

> SSH is a good oldie for sure. However, it seems to be increasingly unfit
> for the modern realities.
[snip]
> I mean REPLACE it entirely with a clean new solution. Too much
> feature-creep on old apps is never a good idea.

While I don't agree with you (I think that your observed problems
are likely caused more by operator error than aged software), I
have no problems with YOU attempting to replace ssh with something
better. Have at it, my friend.

Once YOU write a stable and featurefull replacement for ssh, please
let us know.

Luck be with you

--
Lew Pitcher
"In Skills, We Trust"

Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:

> SSH is a good oldie for sure. However, it seems to
> be increasingly unfit for the modern realities. There
> are not many straight-up ways to detect/intercept
> aggressive attackers. It was writ for a "kinder,
> gentler" IP universe where distributed attacks did
> not exist. Coping with such threats really, badly,
> needs to be very straight-up and incorporate at least
> a little "AI" sensibility that can maybe "just tell"
> an aggressor from an ordinary client.

I don't see any alternative. What would you change in the "new"
protocol?

Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
let it run on an IPv6 address, almost nobody will find it and try to
log in.

On Thu, 15 Dec 2022 10:09:01 +0000, The Natural Philosopher wrote:
>
> On 15/12/2022 08:39, Richard Kettlewell wrote:
>> "26C.Z969" <26C.Z969@noaada.net> writes:
>>> SSH is a good oldie for sure. However, it seems to be increasingly
>>> unfit for the modern realities. There are not many straight-up ways to
>>> detect/intercept aggressive attackers.
>> What do you think it’s failing to do? Disable password
>> authentication
>> and nobody’s getting in without an authorized private key.
>>
>>> It was writ for a "kinder, gentler" IP universe where distributed
>>> attacks did not exist. Coping with such threats really, badly, needs
>>> to be very straight-up and incorporate at least a little "AI"
>>> sensibility that can maybe "just tell" an aggressor from an ordinary
>>> client.
>> Not much intelligence needed, anything that gets more than a handful
>> of
>> password authentication error is an attacker and gets added to my
>> ‘block’ ipset.
>>
> Just hope it wasn't from some public wifi dynamic address that you
> might want to use in future :-)

Those are private IPs (like your personal WIFI net). Unlikely your SSH is
being tried to accessed from there.
--
Andreas

On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>
> Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:
>
>> SSH is a good oldie for sure. However, it seems to
>> be increasingly unfit for the modern realities. There
>> are not many straight-up ways to detect/intercept
>> aggressive attackers. It was writ for a "kinder,
>> gentler" IP universe where distributed attacks did
>> not exist. Coping with such threats really, badly,
>> needs to be very straight-up and incorporate at least
>> a little "AI" sensibility that can maybe "just tell"
>> an aggressor from an ordinary client.
>
> I don't see any alternative. What would you change in the "new"
> protocol?

More colorful interface may be. ;-)

> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
> let it run on an IPv6 address, almost nobody will find it and try to
> log in.

Also depends on how long an IP is advertising SSH (or other services). I
have mine since two years now, and scammers getting busier to get into my
SSH. Not that I care or block any of the IPs involved, as they change
frequently anyway.
--
Andreas

On 12/15/22 3:39 AM, Richard Kettlewell wrote:
> "26C.Z969" <26C.Z969@noaada.net> writes:
>> SSH is a good oldie for sure. However, it seems to be increasingly
>> unfit for the modern realities. There are not many straight-up ways to
>> detect/intercept aggressive attackers.
>
> What do you think it’s failing to do? Disable password authentication
> and nobody’s getting in without an authorized private key.

Good for SOME users, preferably FEW, but what
about when you need to accommodate mass logins,
often from idiots ? If you make it too complex
they'll shop elsewhere.

>> It was writ for a "kinder, gentler" IP universe where distributed
>> attacks did not exist. Coping with such threats really, badly, needs
>> to be very straight-up and incorporate at least a little "AI"
>> sensibility that can maybe "just tell" an aggressor from an ordinary
>> client.
>
> Not much intelligence needed, anything that gets more than a handful of
> password authentication error is an attacker and gets added to my
> ‘block’ ipset.

You make it sound SO easy :-)

Which doesn't cover serious breeches, even at
large tech-centric corps for some reason ....

On 12/15/22 9:55 AM, Lew Pitcher wrote:
> On Thu, 15 Dec 2022 01:52:41 -0500, 26C.Z969 wrote:
>
>> SSH is a good oldie for sure. However, it seems to be increasingly unfit
>> for the modern realities.
> [snip]
>> I mean REPLACE it entirely with a clean new solution. Too much
>> feature-creep on old apps is never a good idea.
>
> While I don't agree with you (I think that your observed problems
> are likely caused more by operator error than aged software), I
> have no problems with YOU attempting to replace ssh with something
> better. Have at it, my friend.
>
> Once YOU write a stable and featurefull replacement for ssh, please
> let us know.
>
> Luck be with you

In the end I may HAVE to ... but not my idea
of fun. Replacing SSH really needs to be a
"community effort" drawing from a lot of
expertise and experience with broad agreement
involved.

Or is all this already behind the curve ? SO much
access is now via browser-based apps.

SolarWinds will sell you some great stuff ....

On 12/15/22 6:36 PM, Andreas Kohlbach wrote:
> On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>>
>> Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:
>>
>>> SSH is a good oldie for sure. However, it seems to
>>> be increasingly unfit for the modern realities. There
>>> are not many straight-up ways to detect/intercept
>>> aggressive attackers. It was writ for a "kinder,
>>> gentler" IP universe where distributed attacks did
>>> not exist. Coping with such threats really, badly,
>>> needs to be very straight-up and incorporate at least
>>> a little "AI" sensibility that can maybe "just tell"
>>> an aggressor from an ordinary client.
>>
>> I don't see any alternative. What would you change in the "new"
>> protocol?
>
> More colorful interface may be. ;-)

Hey ... ! :-)

But, really, more "smarts" need to be built it.
HUMANS can spot an aggressor quite easily, but
try explaining that to software .......

>> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
>> let it run on an IPv6 address, almost nobody will find it and try to
>> log in.
>
> Also depends on how long an IP is advertising SSH (or other services). I
> have mine since two years now, and scammers getting busier to get into my
> SSH. Not that I care or block any of the IPs involved, as they change
> frequently anyway.

Strictly IP-centric defenses won't cut it anymore.
Attackers tend to use distributed attacks - hundreds,
thousands, of addresses. IP-centric defenses can
slow-down at least some attackers, which can be good,
but hardly all.

IPV6 does have some potential ... but a lot of big
providers, even Comcast, only offer IPV4 to most
customers.

Sometimes the "best" defense is obfuscation ...
run SSH on an obscure port. If you look at yer
firewall logs you'll see shitloads of probes
to the standard port. Attackers are mostly bots
these days and go for the low-hanging fruit.

On Fri, 16 Dec 2022 00:28:57 -0500, 26C.Z969 wrote:
>
> On 12/15/22 6:36 PM, Andreas Kohlbach wrote:
>> On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>
>>> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
>>> let it run on an IPv6 address, almost nobody will find it and try to
>>> log in.
>> Also depends on how long an IP is advertising SSH (or other
>> services). I
>> have mine since two years now, and scammers getting busier to get into my
>> SSH. Not that I care or block any of the IPs involved, as they change
>> frequently anyway.
>
> Strictly IP-centric defenses won't cut it anymore.
> Attackers tend to use distributed attacks - hundreds,
> thousands, of addresses. IP-centric defenses can
> slow-down at least some attackers, which can be good,
> but hardly all.

I know I'll only access mine via WIFI. Although it listens to the world
on port 22 I actually don't allow any connection other than from
192.168.0.0/24 .

> IPV6 does have some potential ... but a lot of big
> providers, even Comcast, only offer IPV4 to most
> customers.
>
> Sometimes the "best" defense is obfuscation ...
> run SSH on an obscure port. If you look at yer
> firewall logs you'll see shitloads of probes
> to the standard port. Attackers are mostly bots
> these days and go for the low-hanging fruit.

May be just let everybody in without password or host key auth. Well no
seriously.

But just for the fun I once set my FTP server for anonymous login (any
email address and any password allowed to gain access) and looked ever so
often if someone uploads some crap (I didn't offer any downloads). Still
nothing after hours, so I looked into the logs. Many people trying many
different IDs and passwords, which were refused. But none tried anonymous
access which would had let them in. *g*

I ran this test for eight hours, but no one tried anonymous access.
--
Andreas

On 16/12/2022 06.11, 26C.Z969 wrote:
> On 12/15/22 3:39 AM, Richard Kettlewell wrote:
>> "26C.Z969" <26C.Z969@noaada.net> writes:
>>> SSH is a good oldie for sure. However, it seems to be increasingly
>>> unfit for the modern realities. There are not many straight-up ways to
>>> detect/intercept aggressive attackers.
>>
>> What do you think it’s failing to do? Disable password authentication
>> and nobody’s getting in without an authorized private key.
>
>   Good for SOME users, preferably FEW, but what
>   about when you need to accommodate mass logins,
>   often from idiots ? If you make it too complex
>   they'll shop elsewhere.

If a mass of idiots go elsewhere, good riddance.

Now, if they want to go shopping, with money, that money of them can
create whatever software they want...

>>> It was writ for a "kinder, gentler" IP universe where distributed
>>> attacks did not exist. Coping with such threats really, badly, needs
>>> to be very straight-up and incorporate at least a little "AI"
>>> sensibility that can maybe "just tell" an aggressor from an ordinary
>>> client.
>>
>> Not much intelligence needed, anything that gets more than a handful of
>> password authentication error is an attacker and gets added to my
>> ‘block’ ipset.
>
>   You make it sound SO easy  :-)
>
>   Which doesn't cover serious breeches, even at
>   large tech-centric corps for some reason ....

Links?

--
Cheers,
Carlos E.R.

On 15/12/2022 23:33, Andreas Kohlbach wrote:
> On Thu, 15 Dec 2022 10:09:01 +0000, The Natural Philosopher wrote:
>>
>> On 15/12/2022 08:39, Richard Kettlewell wrote:
>>> "26C.Z969" <26C.Z969@noaada.net> writes:
>>>> SSH is a good oldie for sure. However, it seems to be increasingly
>>>> unfit for the modern realities. There are not many straight-up ways to
>>>> detect/intercept aggressive attackers.
>>> What do you think it’s failing to do? Disable password
>>> authentication
>>> and nobody’s getting in without an authorized private key.
>>>
>>>> It was writ for a "kinder, gentler" IP universe where distributed
>>>> attacks did not exist. Coping with such threats really, badly, needs
>>>> to be very straight-up and incorporate at least a little "AI"
>>>> sensibility that can maybe "just tell" an aggressor from an ordinary
>>>> client.
>>> Not much intelligence needed, anything that gets more than a handful
>>> of
>>> password authentication error is an attacker and gets added to my
>>> ‘block’ ipset.
>>>
>> Just hope it wasn't from some public wifi dynamic address that you
>> might want to use in future :-)
>
> Those are private IPs (like your personal WIFI net). Unlikely your SSH is
> being tried to accessed from there.

Er no. Grandmother, eggs, suck. How can you access anything other than
via a valid public IP address proxy? Either a direct proxy or NAT.

Block that proxy's public IP address, you block yourself from using it
ever again.

--
"When a true genius appears in the world, you may know him by this sign,
that the dunces are all in confederacy against him."

Jonathan Swift.

On 15/12/2022 23:36, Andreas Kohlbach wrote:
> On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>>
>> Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:
>>
>>> SSH is a good oldie for sure. However, it seems to
>>> be increasingly unfit for the modern realities. There
>>> are not many straight-up ways to detect/intercept
>>> aggressive attackers. It was writ for a "kinder,
>>> gentler" IP universe where distributed attacks did
>>> not exist. Coping with such threats really, badly,
>>> needs to be very straight-up and incorporate at least
>>> a little "AI" sensibility that can maybe "just tell"
>>> an aggressor from an ordinary client.
>>
>> I don't see any alternative. What would you change in the "new"
>> protocol?
>
> More colorful interface may be. ;-)
>
>> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
>> let it run on an IPv6 address, almost nobody will find it and try to
>> log in.
>
> Also depends on how long an IP is advertising SSH (or other services). I
> have mine since two years now, and scammers getting busier to get into my
> SSH. Not that I care or block any of the IPs involved, as they change
> frequently anyway.

I've had open SSH for years on backbone hosted kit. everybody tries to
login as root.

I let them. Root is not allowed to log in.

--
"When a true genius appears in the world, you may know him by this sign,
that the dunces are all in confederacy against him."

Jonathan Swift.

On 16/12/2022 05:28, 26C.Z969 wrote:
> Sometimes the "best" defense is obfuscation ...
>   run SSH on an obscure port. If you look at yer
>   firewall logs you'll see shitloads of probes
>   to the standard port. Attackers are mostly bots
>   these days and go for the low-hanging fruit.

Yup. Very few people bother to scan all 64k ports
--
New Socialism consists essentially in being seen to have your heart in
the right place whilst your head is in the clouds and your hand is in
someone else's pocket.

On 16/12/2022 05:11, 26C.Z969 wrote:
> Which doesn't cover serious breeches

You need gaiters for that...

--
New Socialism consists essentially in being seen to have your heart in
the right place whilst your head is in the clouds and your hand is in
someone else's pocket.

On 16/12/2022 05:16, 26C.Z969 wrote:
> On 12/15/22 9:55 AM, Lew Pitcher wrote:
>> On Thu, 15 Dec 2022 01:52:41 -0500, 26C.Z969 wrote:
>>
>>> SSH is a good oldie for sure. However, it seems to be increasingly unfit
>>> for the modern realities.
>> [snip]
>>> I mean REPLACE it entirely with a clean new solution. Too much
>>> feature-creep on old apps is never a good idea.
>>
>> While I don't agree with you (I think that your observed problems
>> are likely caused more by operator error than aged software), I
>> have no problems with YOU attempting to replace ssh with something
>> better. Have at it, my friend.
>>
>> Once YOU write a stable and featurefull replacement for ssh, please
>> let us know.
>>
>> Luck be with you
>
>   In the end I may HAVE to ... but not my idea
>   of fun. Replacing SSH really needs to be a
>   "community effort" drawing from a lot of
>   expertise and experience with broad agreement
>   involved.
>
>   Or is all this already behind the curve ? SO much
>   access is now via browser-based apps.
>
>   SolarWinds will sell you some great stuff ....
>

Just build a wrapper - a sort of modern inetd - that requires
simultaneous access on three ports to open one of them to any service.

Proper packaged port knocker. Might already be one.

SSH is a perfectly adequate protocol that only purists find inadequate.

--
It is the folly of too many to mistake the echo of a London coffee-house
for the voice of the kingdom.

Jonathan Swift

On 16/12/2022 10.20, The Natural Philosopher wrote:
> On 15/12/2022 23:36, Andreas Kohlbach wrote:
>> On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>>>
>>> Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:
>>>
>>>> SSH is a good oldie for sure. However, it seems to
>>>> be increasingly unfit for the modern realities. There
>>>> are not many straight-up ways to detect/intercept
>>>> aggressive attackers. It was writ for a "kinder,
>>>> gentler" IP universe where distributed attacks did
>>>> not exist. Coping with such threats really, badly,
>>>> needs to be very straight-up and incorporate at least
>>>> a little "AI" sensibility that can maybe "just tell"
>>>> an aggressor from an ordinary client.
>>>
>>> I don't see any alternative. What would you change in the "new"
>>> protocol?
>>
>> More colorful interface may be. ;-)
>>
>>> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
>>> let it run on an IPv6 address, almost nobody will find it and try to
>>> log in.
>>
>> Also depends on how long an IP is advertising SSH (or other services). I
>> have mine since two years now, and scammers getting busier to get into my
>> SSH. Not that I care or block any of the IPs involved, as they change
>> frequently anyway.
>
> I've had open SSH for years on backbone hosted kit. everybody tries to
> login as root.
>
> I let them. Root is not allowed to log in.

One idea would be to automatically block the IPs that try to login as
root or other typical names used by bots.

That's something a human operator would do.

--
Cheers,
Carlos E.R.

On 16/12/2022 09:30, Carlos E. R. wrote:
> On 16/12/2022 10.20, The Natural Philosopher wrote:
>> On 15/12/2022 23:36, Andreas Kohlbach wrote:
>>> On Thu, 15 Dec 2022 18:03:48 +0100, Marco Moock wrote:
>>>>
>>>> Am 15.12.2022 um 01:52:41 Uhr schrieb 26C.Z969:
>>>>
>>>>> SSH is a good oldie for sure. However, it seems to
>>>>> be increasingly unfit for the modern realities. There
>>>>> are not many straight-up ways to detect/intercept
>>>>> aggressive attackers. It was writ for a "kinder,
>>>>> gentler" IP universe where distributed attacks did
>>>>> not exist. Coping with such threats really, badly,
>>>>> needs to be very straight-up and incorporate at least
>>>>> a little "AI" sensibility that can maybe "just tell"
>>>>> an aggressor from an ordinary client.
>>>>
>>>> I don't see any alternative. What would you change in the "new"
>>>> protocol?
>>>
>>> More colorful interface may be. ;-)
>>>
>>>> Attacks on SSH on IPv4 networks exist (mostly brute-force), but just
>>>> let it run on an IPv6 address, almost nobody will find it and try to
>>>> log in.
>>>
>>> Also depends on how long an IP is advertising SSH (or other services). I
>>> have mine since two years now, and scammers getting busier to get
>>> into my
>>> SSH. Not that I care or block any of the IPs involved, as they change
>>> frequently anyway.
>>
>> I've had open SSH for years on backbone hosted kit. everybody tries to
>> login as root.
>>
>> I let them. Root is not allowed to log in.
>
> One idea would be to automatically block the IPs that try to login as
> root or other typical names used by bots.
>
> That's something a human operator would do.
>
Why bother? they would then go on to bother someone else, possibly with
less bandwidth than I.

If they want to spend an hour trying every single password in their
dictionary, its no skin off my nose.

--
"Nature does not give up the winter because people dislike the cold."

― Confucius

The Natural Philosopher <tnp@invalid.invalid> writes:
> On 15/12/2022 08:39, Richard Kettlewell wrote:
>> Not much intelligence needed, anything that gets more than a handful
>> of password authentication error is an attacker and gets added to my
>> ‘block’ ipset.
>>
> Just hope it wasn't from some public wifi dynamic address that you
> might want to use in future :-)

Pretty unlikely. But my VPN will get me past it in the event that
happens.

--
https://www.greenend.org.uk/rjk/

"26C.Z969" <26C.Z969@noaada.net> writes:
> On 12/15/22 3:39 AM, Richard Kettlewell wrote:
>> "26C.Z969" <26C.Z969@noaada.net> writes:
>>> SSH is a good oldie for sure. However, it seems to be increasingly
>>> unfit for the modern realities. There are not many straight-up ways to
>>> detect/intercept aggressive attackers.
>> What do you think it’s failing to do? Disable password authentication
>> and nobody’s getting in without an authorized private key.
>
> Good for SOME users, preferably FEW, but what about when you need to
> accommodate mass logins, often from idiots ? If you make it too
> complex they'll shop elsewhere.

Sounds like a self-solving problem.

>>> It was writ for a "kinder, gentler" IP universe where distributed
>>> attacks did not exist. Coping with such threats really, badly, needs
>>> to be very straight-up and incorporate at least a little "AI"
>>> sensibility that can maybe "just tell" an aggressor from an ordinary
>>> client.
>> Not much intelligence needed, anything that gets more than a handful
>> of password authentication error is an attacker and gets added to my
>> ‘block’ ipset.
>
> You make it sound SO easy :-) Which doesn't cover serious breeches,
> even at large tech-centric corps for some reason ....

Blocking persistent probes is indeed easy. I don’t think I claimed it
had anything to do with other classes of attack, but you don’t seem to
have explained what you think the issues are with SSH anyway.

--
http://www.greenend.org.uk/rjk/

The Natural Philosopher <tnp@invalid.invalid> writes:
> On 16/12/2022 09:30, Carlos E. R. wrote:
>> One idea would be to automatically block the IPs that try to login
>> as root or other typical names used by bots.
>> That's something a human operator would do.
>>
> Why bother? they would then go on to bother someone else, possibly
> with less bandwidth than I.
>
> If they want to spend an hour trying every single password in their
> dictionary, its no skin off my nose.

I’ve got better uses for my CPU[1] than key agreement with low-rent
attackers, and better uses for my logs than background error noise.

[1] and in the summer, the waste heat

--
http://www.greenend.org.uk/rjk/

Richard Kettlewell <invalid@invalid.invalid> wrote:
>The Natural Philosopher <tnp@invalid.invalid> writes:
>> On 16/12/2022 09:30, Carlos E. R. wrote:
>>> One idea would be to automatically block the IPs that try to login
>>> as root or other typical names used by bots.
>>> That's something a human operator would do.
>>>
>> Why bother? they would then go on to bother someone else, possibly
>> with less bandwidth than I.
>>
>> If they want to spend an hour trying every single password in their
>> dictionary, its no skin off my nose.
>
>I’ve got better uses for my CPU[1] than key agreement with low-rent
>attackers, and better uses for my logs than background error noise.

It's matter of style, both ways to do it have their advantages and
their disadvantages. It's nothing to get missionary over.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 16/12/2022 10.20, The Natural Philosopher wrote:
>>
>> I've had open SSH for years on backbone hosted kit. everybody tries to
>> login as root.
>>
>> I let them. Root is not allowed to log in.
>
> One idea would be to automatically block the IPs that try to login as
> root or other typical names used by bots.
>
> That's something a human operator would do.

Ha! I'd end up getting myself blocked that way. I tend to mix up
hostnames from time to time and get hopelessly confused about why I
can't log in, or why all the files are missing (not ideal, I know).

I fail to see how a human watching logs could reliably improve
security over automated methods, let alone AI (which would
presumably consume more system resources than a trickle of SSH
connections anyway).

That said, I do think there's room for usability improvements over
current SSH implementations. Many of the more technical OpenSSH
options are messy and hard to understand. There are lots of (or at
least three, that I've had to deal with) different, incompatible,
private key formats. When a connection fails it's often unclear
whether there's a bug/connection-error or it's due to a
client/server not meeting the other's encryption/authentication
requirements. Mosh also improves on some speed/reliability issues
with connections over slow/unreliable networks.

But it seems that's not what the OP is talking about. On the topic
of security, rather than usability, I don't see any obvious way to
improve things.

--
__ __
#_ < |\| |< _#

On Fri, 16 Dec 2022 10:30:17 +0100, Carlos E. R. wrote:
>
> On 16/12/2022 10.20, The Natural Philosopher wrote:
>
>> I've had open SSH for years on backbone hosted kit. everybody tries
>> to login as root.
>> I let them. Root is not allowed to log in.
>
> One idea would be to automatically block the IPs that try to login as
> root or other typical names used by bots.

Nah, don't. Have them have their fun. They don't know root won't get in
and waste their own resources. Although today it won't matter either. But
not letting them know they cannot login as root they keep trying instead
of wandering off and try other servers where they might be successful.

> That's something a human operator would do.

I don't think so. Unless being DDoSed. But then you have to take a
completely different approach to mitigate the traffic.
--
Andreas