Security Basics mailing list archives

Re: SSH server under attack...

From: hytham.a () securityfocus com, gmail () securityfocus com, com () securityfocus com
Date: 25 Jan 2006 17:50:04 -0000

I'd have to say that a DoS against your users is highly unlikely given the type of attack that is occuring based on the 
logs you have posted; only 3 attempts per username before moving on to the next account.  Why?  Most sensible admins 
would configure MaxAuthTries in /etc/sshd_config to a value of 3, max.  This limits the attacker to a finite number 
before having to move on to the next account to attack preventing their scripts from focusing on a single account.  
IMO, what you have is a plain and simple brute force attempt that has 2 obvious goals in mind: 1) determing valid 
accounts 2) looking for weak passwords associated to those accounts.

Simply changing your sshd listening port is a very small step in securing your host when looking at it from the big 
picture.  Most would argue, and I would wholeheartedly agree, that it is security through obscurity.

Recommendations:  

1) run on a different port - slows down an attacker temporarily (as witnessed)
2) use an external authentication source - radius/rsa configured via PAM modules
3) PublicKey Authentication
4) Port Knock Sequencing authentication using IPTables (*relatively* new to the white hat community, but around for 
quite some time).
5) Possibly create a chroot jail for your users

Using some of the aforementioned recommendations will help in stopping brute force attempts from becoming a nightmarish 
reality :)

All sensible comments welcome!

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: SSH server under attack..., (continued)
- Re: SSH server under attack... Jason Mitchell (Jan 25)
  - Re: SSH server under attack... Teemu A. (Jan 26)
- Re: SSH server under attack... ilaiy (Jan 25)
- RE: SSH server under attack... Matt Cunnane (Jan 26)
- Re: SSH server under attack... Frankie Li (Jan 26)
- Re: SSH server under attack... Matt Alexander (Jan 26)
- Re: SSH server under attack... unixadmin99 (Jan 26)
- Re: SSH server under attack... xyberpix (Jan 30)
- Re: SSH server under attack... Kenton Smith (Jan 25)
- Re: SSH server under attack... Timothy Hall (Jan 26)
- Re: SSH server under attack... hytham . a (Jan 26)
- Re: Re: SSH server under attack... bob (Jan 26)
- Re: SSH server under attack... pg_vlad (Jan 26)
- RE: SSH server under attack... Beauford, Jason (Jan 26)
- RE: SSH server under attack... Byrd, Gregory (Jan 26)
- Re: SSH server under attack... gmHumfrey (Jan 26)