[Nolug] ssh brute force password attacks and mitigation

From: Scott Harney <scotth_at_scottharney.com>
Date: Mon, 03 Jan 2005 13:19:44 -0600
Message-ID: <41D99AD0.8090004@scottharney.com>

Some of you running ssh on externally reachable have probably noticed numerous
attempts in the past few months to log in to various accounts via ssh. This is
apparently a brute force automated attack trying well-known account names, weak
passwords, etc. One way to mitigate this is to make sure you're using strong
passwords and changing them with some regularity. But can you be sure all your
users are doing the same?

If you can, you probably should limited ssh access to specific hosts, but this
is often impossible and might not stop determined spoofing attacks. If you
can, you should probably limit ssh authentication to using RSA/DSA keys instead
of password-based login. See
http://marc.theaimsgroup.com/?l=openbsd-misc&m=110367957829708&w=2 for info.

You may still want to block attack attempts, though, and convince automated
attack scripts to stop trying. Some OpenBSD folks posted scripts to check
/var/log/authlog for attacks and add those IPs to a pf firewall filter table
dynamically. Not all of my machines with a reachable ssh are OpenBSD but they
all run tcp wrappers. So I modified those same scripts to dynamically add
attack source IPs to /etc/hosts.deny . You can find more my script at
http://www.scottharney.com/blog/2005/01/03#ssh_blocker_wrap-sh

-- 
Scott Harney <scotth@scottharney.com>
"Asking the wrong questions is the leading cause of wrong answers"
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org
Received on 01/03/05

This archive was generated by hypermail 2.2.0 : 12/19/08 EST