Educause Security Discussion mailing list archives

Re: significant incoming SSH volume

From: Joe Vieira <jvieira () CLARKU EDU>
Date: Tue, 16 Mar 2010 16:17:16 -0400

Hi Justin,

   Just some advice:  I would certainly limit access to SSH to only
your administrative vlans and require the vpn to SSH in.

   I would also disable direct root access via SSH in
/etc/sshd/sshd_config PermitRootLogin no then restart SSH

   If that's not feasible there are ways to make iptables help you and
stop brute force attacks.
      An example of such being

   -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m
recent --name SSH --set
   -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 120 --hitcount 5 --rttl --name SSH -j LOG
--log-prefix SSH_brute_force
   -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 120 --hitcount 5 --rttl --name SSH -j DROP

   Basically you're using the recent module to track the ip session.
So when someone tries to connect on port 22 you start watching them, if
they do it 5 times in 2 minutes log and drop the packet.  Bingo you've
got yourself a self adapting firewall.

Welcome,

Joe Vieira
Manager Systems Administration
Clark University


Justin Sipher wrote:

Hello all.  We have seen a drastic uptick in recent days for inbound
SSH connections to many of our servers.  These connection are
attempting to connect to our servers as ROOT and are coming from IP
addressed appearing to be mostly overseas.  They number in the
thousands of connections.  While we are confident in the strength of
our passwords, as you know with enough effort.......

My questions to this group are:

    * Is anyone else seeing this?


    * Are you doing anything to address this?  We are contemplating
      blocking SSH inbound on our firewall and requiring any external
      SSH connection to first connect to our VPN.  In some ways it
      seems excessive and maybe even unsustainable.  On the other
      hand, protecting our servers is important as you well know.


Any advice, feedback, or suggestion of best practice is welcome.

Best & thanks!
...Justin
________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu <mailto:jsipher () skidmore edu>
  518-580-5909

Current thread:

significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)

(Thread continues...)