Re: SSH dictionary attack dictionary

[Patrick P Murphy <pmurphy () NRAO EDU>]

On Mon, 10 Aug 2009 15:57:49 -0700, Andrew Daviel <advax () TRIUMF CA> said:

> Ever wondered what passwords those annoying SSH dictionary attacks were
> trying ? At some point I modified sshd to collect failed passwords.

Interesting.  I've had chances to look at some similar logs here form
time to time, and I've noticed some similar results.

> I used to think these attempts were harmless given the throttling used by
> sshd, until we had a test server hit that was using "qazwsxedc".

Ouch (for being hacked and for having a drag-fingers-across-keyboard
password).  We've all taken shortcuts at times with test servers
though.

> suggested mitigations include moving SSH off of port 22, dynamic blocking
> of guessing hosts (our approach), disabling password logins for root
> (but allowing keys), tunnelling everything through VPNs etc. etc.

You didn't mention DenyHosts: http://denyhosts.sourceforge.net/   but
it essentially fits the bill of your second suggestion.

I've used it on a couple of servers here with good results.  It catches
an attempt or two almost daily.

 - Pat

--
 Patrick P. Murphy, Ph.D.   Webmaster (East), Computing Security Manager
 http://www.nrao.edu/~pmurphy/          http://chien-noir.com/maze.shtml
 "Inventions then cannot, in nature, be a subject of property."
                                    -- Thomas Jefferson, August 13, 1813