Educause Security Discussion mailing list archives
Re: Ongoing distributed Linux SSH dictionary attack
From: Andrew Daviel <advax () TRIUMF CA>
Date: Sat, 18 Apr 2009 12:13:01 -0700
On Sat, 18 Apr 2009, Nick Semenkovich wrote:
(I don't know about sshdfilter, which hasn't been updated since 2007 and isn't in any distros ...) The industry standard is DenyHosts: http://denyhosts.sourceforge.net/ It's a very well supported package (in the main Debian repo, etc.): http://packages.debian.org/lenny/denyhosts It's incredibly flexible, sends to syslog, and has a blocking database (for free!) so your clients can automatically submit/retrieve hosts involved in brute force attacks.
I looked at that at some point. As I recall, it runs out of cron and updates /etc/hosts.deny. I abandoned that approach some years ago for a script which continually monitors /var/log/secure on a central loghost and updates iptables on our gateway. That way it can respond within a few seconds instead of many minutes, and the traffic is kept off our network entirely. That worked well enough to block a single host scanning across our network, but does nothing for hundreds of hosts scanning one or two machines. I found http://danger.rulez.sk/projects/bruteforceblocker which is doing the same thing on a per-host basis but with a community blocklist, for either Linux iptables or FreeBSD pf. Looking at their stats at http://danger.rulez.sk/projects/bruteforceblocker/blist.php compared to http://stats.denyhosts.net/stats.html they are blocking an order of magnitude more than denyhosts. Of 500 hosts attacking one of ours, they list 480. I have some concerns about the resistance of the community blocklist to spoofing and DoS, but I was considering updating my tool to use it. The somewhat similar antispam tool Razor uses a client rating scheme and update keys to guard against abuse. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)