Full Disclosure mailing list archives
Re: Counteroffensive help on bruteforce attacks on SSHD
From: Valdis.Kletnieks () vt edu
Date: Fri, 29 Oct 2004 12:51:15 -0400
On Fri, 29 Oct 2004 14:34:21 BST, Andrew Poodle said:
I'm seeing lots of ssh login attempts with user=root from two or three IP addresses, after I blocked access at the firewall based on host.
Can anyone point me at some good resources where I can bone up and learn more about counter-measures.... I'm not looking to take this guy out (although would'nt be a bad thing).. But would be interesting to find out more.
1) set your firewall up *beforehand* to deny all SSH connects except from hosts/networks that you need inbound SSH from. If you're never going to SSH in except from 3 specific machines and one dial-up net, just allow those 3 machines and the /24 or whatever that the dial-up uses. 2) In your sshd_config file, "PermitRootLogin no" and "PermitEmptyPasswords no" will help security a lot. If you're ambitious, you might consider forcing the use of RSA keys and "PasswordAuthentication no". Note that this *DOES* require that the hosts you're ssh'ing in from *also* be secure (because if an attacker gets the private key on that machine, they just got a login on your box too...) 3) If you're ambitious, drop the network admin a "Please whack your user who has a compromised box" (almost *all* of the recent plague of SSH scans have been from ancient, unsecured, unpatched boxes). Offer void in Korea or anyplace else that doesn't have a net admin who gives a damn, YMMV, etc.. ;) 4) That should stop the anklebiters. Deterrence measures for more determined attackers are a separate issue. ;)
Attachment:
_bin
Description:
Current thread:
- Counteroffensive help on bruteforce attacks on SSHD Andrew Poodle (Oct 29)
- Re: Counteroffensive help on bruteforce attacks on SSHD Valdis . Kletnieks (Oct 29)