Firewall Wizards mailing list archives
Re: SSH brute force attack
From: Marko Jakovljevic <wizardx86 () gmail com>
Date: Tue, 5 Jul 2005 18:49:25 +0200
Hey Todd, and guys :) This is my first post so i hope this is the way to reply to the mailing list ;) I also have the same problem with these brute SSH attacks. As Matthew want specifies there isnt much else you can do besides blackholing the IP, i do know of cases where the system is merely a honeypot compromised by a sub7 variant or running something called evilbot. This effectivly allows the zombie master to control all the 'zombies' that login to the server. Besides this being very effective for denial of service attacks they can also use the zombies for brute force attacks and phishing on irc servers / msn / email phishing etc.. I would suggest to completely disallow external ssh access for the root account and another possibility is using IPtables or whichever firewall you would use to change the SSH port so that the default port gets a connection refused. This throws a spanner in the works for the average script kiddie. If you dont know iptables that well (assuming you are using iptables in the first place) http://qtables.radom.org/download.php is an excellent website with a built in standalone script that generates an IPtable ruleset which is easy to follow. Another great tool i found that helps is http://swatch.sourceforge.net/ for monitoring the logs. What Swatch can do is monitor whatever logs you wish it to monitor and create specific firewall rules for an active response. Swatch also has emailing and of course if it pleases you sms gateway facilities. What i did with swatch was basically setup a configuration where any false login attempts to (test/admin/joe/bill) and such others and automatically blackholes that address and prevents it from accessing the system for a certain period of time. This "throttle" lasts for around 600 seconds on the first attempt and if the attempts continue the throttle lasts longer and longer. The theory is that if it is a compromised honeypot sooner or later it is going to be cleaned up (Hopefully) so the ban wont last forever (not that it really matters). Furthermore any attempts on root and such other accounts can follow the same pattern. With some creative use of Swatch and Ethereal you can setup a email that is sent to you weekly with the logged IP's of every attempt as well as how many failed attempts, the accounts attempted and then you can take measures from there. NB - VERY IMPORTANT! When working with swatch i found a problem with regard to creating rulesets for other packets besides SSH. Using ettercap (packet generator) http://sourceforge.net/projects/ettercap/ I was able to create a packet with the same destination IP as the source IP resulting in me blocking myself out of the system. Although the attacker gets no benefit from this he automatically blocks the IP hence turning the system into a closed loop. This isnt possible (i think?) with SSH packets as those one cannot spoof the source IP but with others it is. In summary i'd say Swatch is the best option if those brute attempts keep annonying you but i guess just preventing outside root SSH access and changing the default ssh port ah yeah and making a good password (not something like 1234 or password / root / l33t ) etc... would result in a relativly secure system. Thanks guys " Apart from black-holing the addresses in a "No SSH for you" policy on the firewall (horse already bolted), about the only thing you can do in ensure that you can't SSH in as root (something I highly advise anyway) and go to strong authentication. I have used SKEY quite successfully for this and its free :-). " On 7/3/05, David Ross <David.Ross () isrc qut edu au> wrote:
Toderick, Lee W wrote:Our computers running SSH daemons have logged attacks. The attacks begin with a scan logged "Did not receive identification string from x.x.x.x", followed approximately 15 minutes later with "Illegal user " or " Failed password for root". Does anyone have information or documentation about this scan/attack?I see it daily - and usually ignore it. Sometimes I filter the address blocks if they belong to ISPs in countries that I am unlikely to visit (and hence ssh from). That keeps the logs manageable. -- David Ross _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSH brute force attack Paul Melson (Jul 01)
- <Possible follow-ups>
- Re: SSH brute force attack Mark Tinberg (Jul 01)
- RE: SSH brute force attack Mathew Want (Jul 01)
- Re: SSH brute force attack David Ross (Jul 05)
- Re: SSH brute force attack Marko Jakovljevic (Jul 06)
- RE: SSH brute force attack Mark Ness (Jul 18)
- Re: RE: SSH brute force attack Mark Ness (Jul 21)
- Re: RE: SSH brute force attack Christine Kronberg (Jul 21)