[Nolug] Re: [brlug-general] ssh brute force password attacks and mitigation

From: Scott Harney <scotth_at_scottharney.com>
Date: Mon, 03 Jan 2005 13:28:59 -0600
Message-ID: <41D99CFB.8050801@scottharney.com>

Scott Harney wrote:

pardon my incredibly sloppy english. trying to do too many things at once.

> Some of you running ssh on externally reachable have probably noticed
> numerous attempts in the past few months to log in to various accounts
> via ssh. This is apparently a brute force automated attack trying
> well-known account names, weak passwords, etc. One way to mitigate this
> is to make sure you're using strong passwords and changing them with
> some regularity. But can you be sure all your users are doing the same?
> If you can, you probably should limited ssh access to specific hosts,
> but this is often impossible and might not stop determined spoofing
> attacks. If you can, you should probably limit ssh authentication to
> using RSA/DSA keys instead of password-based login. See
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=110367957829708&w=2 for
> info.
> You may still want to block attack attempts, though, and convince
> automated attack scripts to stop trying. Some OpenBSD folks posted
> scripts to check /var/log/authlog for attacks and add those IPs to a pf
> firewall filter table dynamically. Not all of my machines with a
> reachable ssh are OpenBSD but they all run tcp wrappers. So I modified
> those same scripts to dynamically add attack source IPs to
> /etc/hosts.deny . You can find more my script at
> http://www.scottharney.com/blog/2005/01/03#ssh_blocker_wrap-sh

Scott Harney <scotth@scottharney.com>
"Asking the wrong questions is the leading cause of wrong answers"
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
Nolug mailing list
Received on 01/03/05

This archive was generated by hypermail 2.2.0 : 12/19/08 EST