[Intrusions] SSH brute forcing attacks

Tue May 17 14:12:58 GMT 2005

That dynamic filter sounds pretty cool, and might be just what is needed
in many environments.  Is it managed on the servers or at the border?
For small-scale, one-server type situations, I think that simply moving
the port is the simplest approach.  But for multi-server, large-scale
stuff, moving the port doesn't work so well, so dynamically blocking by
IP address sounds like a really good idea.  Seems like a good idea
regarding a whole lot of scanning attempts, and I've always wondered why
it's not implemented much (At least that I've heard of). 

On a semi-related quibble I've had -- do people still make distinctions
between "brute force" and "dictionary" attacks?  As the size of a
dictionary approaches infinity, it becomes a brute force approach, but
at least in any reasonable situation, seems like an important
distinction to be maintained.  But in so many conversations regarding
"brute forcing SSH servers," I'd say they actually meant "dictionary
attacks against SSH servers."  Once a bad guy gets in, he may attempt to
locally brute force some keys or something, but to truly brute force
anything via a network just doesn't seem efficient to me.  You seem to
go back and forth between the two, and just wondering if I'm being too
much of a stickler for maintaining the distinction, or if they really
have the time and resources to search the entire keyspace.

*==========================================;
*Ben Earnhart
*Computer Consultant and 
*ICPSR Representative
*Department of Sociology and 
*College of Liberal Arts
*University of Iowa
*(319) 335-2887
*benjamin-earnhart at uiowa.edu
*==========================================; 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Andrew Daviel
> Sent: Tuesday, May 17, 2005 4:18 AM
> To: intrusions at incidents.org
> Subject: [Intrusions] SSH brute forcing attacks
> 
> 
> FYI
> 
> A year of so ago we saw an SSH brute-forcing attack that 
> seemed to try test/test, guest/guest and a couple of others 
> against machines.
> And yes we had a machine set up for casual use with guest/guest ...
> 
> More recently we have seen more exhaustive dictionary 
> attacks, with multiple attempts against root and random names 
> for unprivileged accounts. Since the traffic is encrypted, 
> and sshd does not log the password, I don't know what was 
> being tried (hacked version for honeypot required ??)
> 
> I had not initially thought that this was a significant 
> threat, since sshd will not allow rapid retries and hopefully 
> hundreds of thousands of guesses would be required to hit a 
> reasonably strong password.
> 
> However, this assumption may not be valid ... I think we have 
> had maybe
> 3 machines compromised in this way, from attacks running for 
> weeks or months against hundreds of machines.
> 
> SInce we have, generally speaking, a need for legitimate 
> access for users around the world from home, travelling or 
> working at other institutions we allow SSH access to most 
> non-sensitive machines.
> However, in view of these attacks I have implemented a 
> dynamic filter via system-wide logging - multiple login 
> failures across monitored machines will result in the source 
> being blocked.
> 
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> security at triumf.ca
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 