[Intrusions] SSH brute forcing attacks
Andrew Daviel
andrew at andrew.triumf.ca
Tue May 17 09:17:55 GMT 2005
FYI
A year of so ago we saw an SSH brute-forcing attack that seemed to
try test/test, guest/guest and a couple of others against machines.
And yes we had a machine set up for casual use with guest/guest ...
More recently we have seen more exhaustive dictionary attacks, with
multiple attempts against root and random names for unprivileged
accounts. Since the traffic is encrypted, and sshd does not log the
password, I don't know what was being tried (hacked version for honeypot
required ??)
I had not initially thought that this was a significant threat, since
sshd will not allow rapid retries and hopefully hundreds of thousands of
guesses would be required to hit a reasonably strong password.
However, this assumption may not be valid ... I think we have had maybe
3 machines compromised in this way, from attacks running for weeks or
months against hundreds of machines.
SInce we have, generally speaking, a need for legitimate access for users
around the world from home, travelling or working at other institutions
we allow SSH access to most non-sensitive machines.
However, in view of these attacks I have implemented a dynamic filter
via system-wide logging - multiple login failures across monitored
machines will result in the source being blocked.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list