[Intrusions] SSH brute forcing attacks
Meidinger Chris
chris.meidinger at badenit.de
Tue May 17 13:35:10 GMT 2005
Hi Andrew,
> More recently we have seen more exhaustive dictionary attacks, with
> multiple attempts against root and random names for unprivileged
> accounts.
A lot of sites have been getting this again recently.
> Since the traffic is encrypted, and sshd does not log the
> password, I don't know what was being tried (hacked version
> for honeypot
> required ??)
You can use the Sebek LKM to log that. Or, if you can afford (business-case)
to NAT all incoming SSH to a test machine, you can get it out of the strace
output from sshd. (attach strace to the running process with -p and grep
heavily)
> I had not initially thought that this was a significant threat, since
> sshd will not allow rapid retries and hopefully hundreds of
> thousands of
> guesses would be required to hit a reasonably strong password.
>
> However, this assumption may not be valid ... I think we have
> had maybe
> 3 machines compromised in this way, from attacks running for weeks or
> months against hundreds of machines.
>
> SInce we have, generally speaking, a need for legitimate
> access for users
> around the world from home, travelling or working at other
> institutions
> we allow SSH access to most non-sensitive machines.
> However, in view of these attacks I have implemented a dynamic filter
> via system-wide logging - multiple login failures across monitored
> machines will result in the source being blocked.
Good idea. Depending what firewall you use, you can also throttle based on
source IP.
To defend against this stupid ssh brute-force -- which seems to have gotten
a lot of people thus far -- in the long term, i would recommend using a
shell server. Just make one machine accessible from the outside to serve
shells, and have your users hop from there to other machines. You can then
regularly audit passwords on that machine against lists the bots are using
as well as with djohn. Much easier/more secure than having multiple servers
with multiple versions of sshd from multiple vendors each with ist own
passwd.
Cheers,
Chris
More information about the Intrusions
mailing list