Re: Ongoing distributed Linux SSH dictionary attack

[Andrew Daviel <advax () TRIUMF CA>]

On Sat, 18 Apr 2009, Nick Semenkovich wrote:

> (I don't know about sshdfilter, which hasn't been updated since 2007
> and isn't in any distros ...)
>
> The industry standard is DenyHosts: http://denyhosts.sourceforge.net/
>
> It's a very well supported package (in the main Debian repo, etc.):
> http://packages.debian.org/lenny/denyhosts
>
>
> It's incredibly flexible, sends to syslog, and has a blocking database
> (for free!) so your clients can automatically submit/retrieve hosts
> involved in brute force attacks.

I looked at that at some point. As I recall, it runs out of cron and
updates /etc/hosts.deny.

I abandoned that approach some years ago for a script which continually
monitors /var/log/secure on a central loghost and updates iptables on our
gateway. That way it can respond within a few seconds instead of many
minutes, and the traffic is kept off our network entirely. That worked
well enough to block a single host scanning across our network, but does
nothing for hundreds of hosts scanning one or two machines.

I found http://danger.rulez.sk/projects/bruteforceblocker which is doing
the same thing on a per-host basis but with a community blocklist, for
either Linux iptables or FreeBSD pf.
Looking at their stats at
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
compared to http://stats.denyhosts.net/stats.html
they are blocking an order of magnitude more than denyhosts.
Of 500 hosts attacking one of ours, they list 480.

I have some concerns about the resistance of the community blocklist to
spoofing and DoS, but I was considering updating my tool to use it.
The somewhat similar antispam tool Razor uses a client rating scheme and
update keys to guard against abuse.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager