Educause Security Discussion mailing list archives
Re: SSH dictionary attack dictionary
From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Tue, 11 Aug 2009 13:55:08 -0700
Count me in as well. Sounds like very useful scripts. Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di Fabio, Andrea Sent: Tuesday, August 11, 2009 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SSH dictionary attack dictionary I would be interested is seeing your behavioral detection scripts if you can share. ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Schenk [Christopher.Schenk () COLORADO EDU] Sent: Tuesday, August 11, 2009 12:53 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SSH dictionary attack dictionary Bob Bayn wrote:
Also, we watch our VPN logs for successful connections from out of the country (usually Chinese IPs) and contact the user to see if they
really
are in that country (which was true about 1% of the time). These
events
have become quite rare in the past year, since we enforced new password complexity rules and raised awareness.
This particular line of thinking is something that the Computer Science dept. at University of Colorado, Boulder has taken. In addition to running denyhosts, fail2ban, and in the past the slightly more esoteric SSHDfilter, we assume that somewhere along the way, we WILL be successfully breached by a valid user account. So we run home-grown scripts that log all successful logins from users to generate behavioral data over time. If a user suddenly logs in from an IP that is outside the US, or is outside of the common networks from where the user usually logs in, an email is sent to the administrators with the following information: Username Date/Time IP address Reverse DNS lookup GEOIP data lookup (using the free databases) Whois data (can be a little messy) Now this doesn't necessarily scale very well to thousands of users, but we monitor about 400-500 accounts and typically the notification is the student who's visiting home in China and logging in remotely. However, we have caught a few cases where students' (and even better, a few faculty) accounts have been collected through other systems and are logged in successfully on the first try, bypassing any fail2ban/denyhosts/sshdfilter system we have in place, but I want to know if it's China, Romania, Russia, Taiwan, wherever. And even though it's a little bit of big brother, we also log all command-line activity (of Bash) to syslog (refer to the edits of /etc/profile in the following page: http://posludio.wordpress.com/2007/11/02/bash-history-to-a-remote-syslog /), but reviewing that information is still under the coverage of U.S. Code Title 18, Part 1, Chapter 119, where we basically cannot review this information unless we either have written consent to view this information (although we're still working on getting signatures from all of our users) or our 'rights or property' is being violated. The latter situation is fuzzy, but in the case of a real compromise, I want to see EXACTLY what the remote person has done on the machine while performing forensics after the fact. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Schenk Director of Computing Operations Department of Computer Science University of Colorado, Boulder P:(303)492-5720 F:(303)492-2844 Christopher.Schenk () Colorado EDU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)