I regularly get attempts to hack into my SSH server. Usually from things like Asterisk boxes with default passwords. I did notice a bit of an increase recently, couldn't say when though.

Anyway, should the world consider using randomized default passwords? I'm sure it would all but end this kind of attack.

""After all, all those forums posts claiming 'It wouldn't have happened if you'd used Linux (snigger)' can't be wrong can they?""

Of course it is possible, guess a username/password and you can get in. Just as if you leave your front door key under the mat it does not matter how good a lock you have.

You misunderstand why Linux is more secure than M$ systems, but that does not mean that it is absolutely secure.

The more complex a password the more likely a user or admin is to leave them left lying around.

Sure you may be some uber geek who can remember 120 complex 15 digit random passwords for breakfast but back in the real world :)

I realise you probably won't read this, as your comment means you basically can't have read any arguments as to why Linux is generally considered more secure, but occasionally these things are just annoying enough to answer.

Firstly, please point at the authoritative person/website who says that Linux is "unhackable". OK, good, no-one with any clue would ever actually say that. So it is possible to hack Linux, and your "point" is rendered null and void.

Secondly, take the time to look at how *easy* it is to hack Linux compared to Windows. Hint: it's generally a lot harder. This doesn't mean that attacks can't get through, it just means they have to be much more sophisticated, or brute force (case in point: the method the attack the article's describing uses).

Thirdly, have a look at how long it takes patches to come out for Linux vs Windows. Generally any Linux vulnerability is only there for a short amount of time, for systems which are fully patched.

If someone says "it wouldn't have happened if you'd used Linux", they may well be right, and right lots and lots of times (once for each of Windows' many, many monotarget and software combination vulnerabilities) but they are never saying that Linux is unhackable. Linux can be (and is) far and away more secure than Windows without being 100% secure. And that's possibly the biggest indictment of Windows' security of all.

.. in addition to not permitting root logins obviously 8-)

There is really no need for login passwords on SSH anymore, so turn off normal password authentication and only use RSA keys.

What are you talking about, you idiot?

Sorry customers, you can only log on from preregistered IP addresses. What do you mean you've got a dynamic IP? You use different clients depending where you're working? These aren't my problems, but please keep paying anyway.

Cretin.

Anyone with a basic knowledge of security knows not to rely on a single layer of protection. Handy as DenyHosts is, it won't protect you completely. For ssh on my internet exposed linux server I:

1)run on a non-standard port

2)run DenyHosts, with blacklist sharing

3)run PortSentry on the standard ssh port (and many others)

4)Disable ssh login for all but one user that is completely unprivileged and with a non-standard user name.

That's in addition to security measures that don't relate directly to ssh protection.

Bollocks. And utterly irrelevant bollocks at that. Since the attacks in question rely on remote attempts to guess obvious login/password tuples, they provide no evidence whatsoever regarding the risk analysis of complex password usage.

Using complex passwords and writing them down shifts the majority of risk from remote to local actors. How often do you lose your wallet, watch, mobile phone or other important physical object that you habitually carry around with you ? Not all that often.

A complex password written down on a piece of paper in your wallet offers far higher security against remote actors than a simple one, and as for local actors, it's as safe from them as the other contents of your wallet*

Even if people do leave such passwords lying around, the threat remains local, and would be the same for any security token or any kind of password. In this case the problem is not the token, but the careless attitude of the user.

If you honestly believe that simple passwords which are not written down anywhere provide better security, then you have obviously never spent any time playing with an encrypted password file and a dictionary attack tool.

*And of course, you write them down twice and stash the back up copy in your lock box at home, the same as you keep a list of your credit card numbers in case your wallet is stolen so that you can cancel them as soon as you realise you are no longer in possession. And only keep (e.g) your online banking ones at home in the lock box, so as not to compromise them if your wallet goes on holiday without you.

See, it's quite easy to mange the risk.

I have no interest in security of any OS. Couldn't given a tuppence. I'm a blind and dumb user. So there. I merely get annoyed at self-righteousness, which is an ugly trait and should be beaten out of people. It is something many of the linux posters on "Non-linux bad security threads" seem to have in abundance.....

what sort of idiot looks after a server ANY server for that matter and has to worry about any kind of dictionary/brute force attempt.

Why are you not using strong password? passwords for my servers are 30+ chars long chances of those being brute forced by any botnet with the next 5 years are pretty slim.

>root

>register

>root

>regista

>root

>rejistar

You're much better off using key based authentication, its seamless, easier to use, and much more secure.

PermitRootLogin should be off too,

I never understood why people leave the ssh port open. Close it, and implement knock, or something stronger.

If you have NO ssh ports open, you will get NO brute force attacks.

I got tired of checking my logs for brute force attacks. Now they are zero. I can get in with a simple knock, and ssh into a non-standard port.