Educause Security Discussion mailing list archives
Re: SSH dictionary attack dictionary
From: Brad Edmondson <brad.edmondson () GMAIL COM>
Date: Tue, 11 Aug 2009 00:35:14 -0400
Interesting project - how did you filter out off-by-one typos so that you couldn't deduce your legitimate users' passwords? Outside honeypots, it would seem difficult to collect even failed passwords and still retain the same level of trust from your users. I second the endorsement of denyhosts; I use it in standalone mode but it can also be configured to sync to a public list of brute-forcers run by the denyhosts project or you can set up your own sitewide denyhosts service (e.g. 3 sitewide failures on root and you're banned). That can help you protect against distributed dictionary attacks, which are becoming increasingly common. There is also fail2ban, which is a general brute banning daemon that has a plugin for ssh. IMHO denyhosts is better for protecting ssh, though fail2ban can help protect web apps or other public services (anything that can log failed logins by IP). Regards, Brad On 2009-08-10, Patrick P Murphy <pmurphy () nrao edu> wrote:
On Mon, 10 Aug 2009 15:57:49 -0700, Andrew Daviel <advax () TRIUMF CA> said:Ever wondered what passwords those annoying SSH dictionary attacks were trying ? At some point I modified sshd to collect failed passwords.Interesting. I've had chances to look at some similar logs here form time to time, and I've noticed some similar results.I used to think these attempts were harmless given the throttling used by sshd, until we had a test server hit that was using "qazwsxedc".Ouch (for being hacked and for having a drag-fingers-across-keyboard password). We've all taken shortcuts at times with test servers though.suggested mitigations include moving SSH off of port 22, dynamic blocking of guessing hosts (our approach), disabling password logins for root (but allowing keys), tunnelling everything through VPNs etc. etc.You didn't mention DenyHosts: http://denyhosts.sourceforge.net/ but it essentially fits the bill of your second suggestion. I've used it on a couple of servers here with good results. It catches an attempt or two almost daily. - Pat -- Patrick P. Murphy, Ph.D. Webmaster (East), Computing Security Manager http://www.nrao.edu/~pmurphy/ http://chien-noir.com/maze.shtml "Inventions then cannot, in nature, be a subject of property." -- Thomas Jefferson, August 13, 1813
Current thread:
- SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)