[Intrusions] Locking down SSH, dictionary attacks

marc towers mtowers at linuxmail.org
Sat Mar 11 18:24:19 GMT 2006 

Sorry I'm still half asleep, didn't notice you said "and any
source going over a couple dozen failures across site is firewalled"

I guess other then what you have already advised would be portknocking.  Though I admit is a rather paranoid solution :)

Better get back to brewing some coffee.

Marc Towers 
> ----- Original Message -----
> From: "Andrew Daviel" <andrew at andrew.triumf.ca>
> To: intrusions at incidents.org
> Subject: [Intrusions] Locking down SSH, dictionary attacks
> Date: Fri, 10 Mar 2006 12:33:11 -0800 (PST)
> 
> 
> 
> 
> FYI - just got zapped by one of those SSH exhaustion scanners (again)
> 1st generation - try 4 accounts e.g. guest/guest against everyone
> 2nd generation - multiple passwords but slow, doesn't show above noise on
>    individual syslogs
> 3rd generation - who cares, let's blast! 230 tries in 3 minutes
> 
> To combat 2nd gen I poll multiple syslogs several times an hour, and any
> source going over a couple dozen failures across site is firewalled.
> 3rd gen got lucky before it was blocked a few minutes later
> 
> 
> So, I'm wondering how to lock down SSH a bit more (on Linux, maybe
> Solaris, MacOS).
> On critical machines with few users, I have disabled password logins -
> keys only, and maybe only listen to certain addresses. And on one
> standalone machine I have set norootlogin.
> 
> But what to do with multiuser machines ? Users are likely to revolt if
> told they have to generate keypairs everywhere. (We have been reluctant
> to get into Kerberos, and besides I'm not sure without some research
> whether it would help. Ditto PAM-based stuff)
> What I'd like to do is have different authentication requirements for
> root and for user accounts (other than "no root at all")
> 
> e.g.
> 
> root:
> - must use keys, not password
> - must connect from 10.4.0.0
> user A:
> - can use keys or password
> - can connect from anywhere
> users B,C:
> - can connect from anywhere with keys
> - can connect from 10.4.0.0 with passwords
> 
> ... OK, have just RTFM  :-)
> and have now set "PermitRootLogin without-password"
> which does the most important thing
> 
> 
> ... just checked my home logs .. darn scanners have 2000 attempts
> there, too - so I've just installed my 2nd gen blocking script
> as well as fixing root
> 
> Guess if I really want address-based filtering I could run a second
> server on a different port with different config options, but this
> is probably OK for now ...
> 
> (if anyone wants my blocking script - simple perl thing using iptables -
> mail me. 3rd gen blocking will probably get written, monitoring "tail -f
> /var/log/secure" ... should probably add check for success from scanning
> source, too)
> 
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> security at triumf.ca
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

>


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

More information about the Intrusions mailing list