Re: SSH dictionary attack dictionary

[Chris Schenk <Christopher.Schenk () COLORADO EDU>]

Bob Bayn wrote:
> Also, we watch our VPN logs for successful connections from out of the
> country (usually Chinese IPs) and contact the user to see if they really
> are in that country (which was true about 1% of the time).  These events
> have become quite rare in the past year, since we enforced new
> password complexity rules and raised awareness.


This particular line of thinking is something that the Computer Science
dept. at University of Colorado, Boulder has taken.  In addition to
running denyhosts, fail2ban, and in the past the slightly more esoteric
SSHDfilter, we assume that somewhere along the way, we WILL be
successfully breached by a valid user account.  So we run home-grown
scripts that log all successful logins from users to generate behavioral
data over time.  If a user suddenly logs in from an IP that is outside
the US, or is outside of the common networks from where the user usually
logs in, an email is sent to the administrators with the following
information:

Username
Date/Time
IP address
Reverse DNS lookup
GEOIP data lookup (using the free databases)
Whois data (can be a little messy)

Now this doesn't necessarily scale very well to thousands of users, but
we monitor about 400-500 accounts and typically the notification is the
student who's visiting home in China and logging in remotely.  However,
we have caught a few cases where students' (and even better, a few
faculty) accounts have been collected through other systems and are
logged in successfully on the first try, bypassing any
fail2ban/denyhosts/sshdfilter system we have in place, but I want to
know if it's China, Romania, Russia, Taiwan, wherever.

And even though it's a little bit of big brother, we also log all
command-line activity (of Bash) to syslog (refer to the edits of
/etc/profile in the following page:
http://posludio.wordpress.com/2007/11/02/bash-history-to-a-remote-syslog/),
but reviewing that information is still under the coverage of U.S. Code
Title 18, Part 1, Chapter 119, where we basically cannot review this
information unless we either have written consent to view this
information (although we're still working on getting signatures from all
of our users) or our 'rights or property' is being violated.  The latter
situation is fuzzy, but in the case of a real compromise, I want to see
EXACTLY what the remote person has done on the machine while performing
forensics after the fact.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Schenk
Director of Computing Operations
Department of Computer Science
University of Colorado, Boulder
P:(303)492-5720  F:(303)492-2844
Christopher.Schenk () Colorado EDU
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~