I've noticed an uptick in brute-force SSH attack attempts on non-standard ports on our network. What do you think could be behind this, and how should I can go about securing those ports?
When you see an uptick in any type of attack, this could be an indicator that attackers sense vulnerability in a certain area. In this particular instance, some pockets of the IT world utilize non-standard ports for SSH access with the idea that attackers can be fooled by TCP port 22 being closed. I’ve never considered obscurity to be a viable security measure, so if your organization is employing this SSH attack prevention strategy, I would suggest reassessing whether it is actually working.
However, if you feel strongly about pressing ahead with this SSH attack prevention method, I would suggest configuring your firewall and/or intrusion detection system to trigger an alarm whenever an unusually large number of login attempts is detected. As this information changes from network to network, you will have to determine the threshold based on your specific network metrics. Also make sure you have a strict lockout policy when a certain number of failed login attempts is reached.
When it comes to SSH attack prevention, always check your logs. If your organization is like most, it probably maintains some sort of scripting mechanism that parses through the logs looking for anomalies – for example fail2ban. However, nothing is quite as affective as human intuition. Pay particular attention to the non-standard ports you’ve authorized for SSH access, and use common sense when monitoring its activity.
Dig Deeper on Password management and policy
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading