Educause Security Discussion mailing list archives

Re: significant incoming SSH volume

From: "Miller, Don C." <donm () UIDAHO EDU>
Date: Thu, 18 Mar 2010 11:04:56 -0700

At the University of Idaho we do the same thing and Michael mentions
although we are using fail2ban (a while ago we were using the tcp
wrappers denyhosts app).  Fail2ban uses iptables with the benefit of
notifying admins via email.  It can also use apache error logs.

 

Don Miller

University of Idaho

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Horne
Sent: Tuesday, March 16, 2010 1:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] significant incoming SSH volume

 

All,

 

We have a single SSH gateway for all inbound ssh traffic to the college.
Single point of access and control for all inbound service.

We also have deployed sshdfilter on the server as well and has worked
great for us to date.

Brute force attacks get routed to /dev/null after x amount of failed
attempts configurable to your liking.

A google search will bring up the source. It is a bit dated and requires
updating when newer version of SSH are deployed but it mitigates a ton
of headaches.

 

 

Michael Horne

Network Engineer

Franklin W Olin College of Engineering

Olin Way Needham MA 02492

Phone  1-781-292-2438

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Sipher
Sent: Tuesday, March 16, 2010 4:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] significant incoming SSH volume

 

Hello all.  We have seen a drastic uptick in recent days for inbound SSH
connections to many of our servers.  These connection are attempting to
connect to our servers as ROOT and are coming from IP addressed
appearing to be mostly overseas.  They number in the thousands of
connections.  While we are confident in the strength of our passwords,
as you know with enough effort.......

 

My questions to this group are:

 

*       Is anyone else seeing this?

 

*       Are you doing anything to address this?  We are contemplating
blocking SSH inbound on our firewall and requiring any external SSH
connection to first connect to our VPN.  In some ways it seems excessive
and maybe even unsustainable.  On the other hand, protecting our servers
is important as you well know.

 

Any advice, feedback, or suggestion of best practice is welcome.

 

Best & thanks!

...Justin

________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu
  518-580-5909

Current thread:

significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
- Re: significant incoming SSH volume Scott Beardsley (Mar 19)