Re: Internet SSH scans

[Jose Lima <d3javu1978 () yahoo com>]

while changing ports is a easy way to avoid ssh attacks from a management
perspective its not practical in environments with 500+ users. 

We have manage to keep the scans to a minimum using a combination of
DenyHosts and iptables 

By throttling NEW connections to 4/minute with iptables it takes the
dictionary attack 15 minutes to do what it normally does in less then 1
minute. 

By that time, the attacker has already been placed in our /etc/hosts.deny
file by DenyHosts for 45 days.  We also have emails sent from DenyHosts to
our help desk where they are monitored in case (unlikely) an end user
accidentally puts in the wrong user name 20 times in a row. 

Since we only apply our iptables rule to NEW connections, established
connections are not affected at all. 

I have to agree with the password policy, I suggests enforcing password
aging and pam_cracklib to ensure your local users choose strong passwords.
Not too strong or they'll end up in a sticky note on their monitors :), use
good judgment on that one. 

BR,


J







Jamie Riden wrote:
> [sorry, I managed to cc this to bugtraq rather than incidents first time
> around]
>
> On 03/03/06, Alexandre H <alexandre.hamelin () gmail com> wrote:
> > Hi,
> >
> > I've witnessed what I think is an increase in SSH scans over the
> > Internet in the past four or five weeks. The scan seems to originate
> > from various countries around the globe which makes me think of it to be
> > a worm-like spreading virus searching for vulnerable systems running the
> > SSH service. I confirmed the attack with a friend of mine who also
> > happens to run a SSH server at home. We both live in Montreal, QC,
> > Canada and are using the same ISP.
>
> I think I've been seeing scans for a year or two now, but the password
> guessing seemed to be fairly plentiful for the whole of last year. I
> saw a couple of boxes compromised through 'temporary' accounts like
> upload/upload which had escaped the admin's notice.
>
> My suggested mitigation is to move SSH to an alternate port, possibly
> go to key pair authentication rather than password, restrict what IP
> addresses are allowed to connect to sshd as far as possible and/or use
> crack/john to ensure that people don't set dumb passwords.
>
> cheers,
>  Jamie
>
> (In case anyone is interested in the gory details - one compromised
> box had some privilege escalation exploits uploaded, someone tried to
> use it for sending ebay phishing emails, and then started it scanning
> for other weak ssh passwords as well -
> http://www.infosecwriters.com/texts.php?op=display&id=402 )

-- 
View this message in context: http://www.nabble.com/Internet-SSH-scans-tf1215990.html#a7254373
Sent from the Incidents mailing list archive at Nabble.com.


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------