Educause Security Discussion mailing list archives

Re: SSH dictionary attack dictionary

From: Brad Edmondson <brad.edmondson () GMAIL COM>
Date: Tue, 11 Aug 2009 00:35:14 -0400

Interesting project - how did you filter out off-by-one typos so that
you couldn't deduce your legitimate users' passwords?  Outside
honeypots, it would seem difficult to collect even failed passwords
and still retain the same level of trust from your users.

I second the endorsement of denyhosts; I use it in standalone mode but
it can also be configured to sync to a public list of brute-forcers
run by the denyhosts project or you can set up your own sitewide
denyhosts service (e.g. 3 sitewide failures on root and you're
banned).  That can help you protect against distributed dictionary
attacks, which are becoming increasingly common.

There is also fail2ban, which is a general brute banning daemon that
has a plugin for ssh.  IMHO denyhosts is better for protecting ssh,
though fail2ban can help protect web apps or other public services
(anything that can log failed logins by IP).

Regards,
Brad

On 2009-08-10, Patrick P Murphy <pmurphy () nrao edu> wrote:

On Mon, 10 Aug 2009 15:57:49 -0700, Andrew Daviel <advax () TRIUMF CA> said:

Ever wondered what passwords those annoying SSH dictionary attacks were
trying ? At some point I modified sshd to collect failed passwords.


Interesting.  I've had chances to look at some similar logs here form
time to time, and I've noticed some similar results.

I used to think these attempts were harmless given the throttling used by
sshd, until we had a test server hit that was using "qazwsxedc".


Ouch (for being hacked and for having a drag-fingers-across-keyboard
password).  We've all taken shortcuts at times with test servers
though.

suggested mitigations include moving SSH off of port 22, dynamic blocking
of guessing hosts (our approach), disabling password logins for root
(but allowing keys), tunnelling everything through VPNs etc. etc.


You didn't mention DenyHosts: http://denyhosts.sourceforge.net/   but
it essentially fits the bill of your second suggestion.

I've used it on a couple of servers here with good results.  It catches
an attempt or two almost daily.

 - Pat

--
 Patrick P. Murphy, Ph.D.   Webmaster (East), Computing Security Manager
 http://www.nrao.edu/~pmurphy/          http://chien-noir.com/maze.shtml
 "Inventions then cannot, in nature, be a subject of property."
                                    -- Thomas Jefferson, August 13, 1813

Current thread:

SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)