Educause Security Discussion mailing list archives
Re: significant incoming SSH volume
From: "Michael J. Wheeler" <mwheeler () PITTSTATE EDU>
Date: Tue, 16 Mar 2010 21:03:39 -0500
On 3/16/2010 3:07 PM, Justin Sipher wrote:
Hello all. We have seen a drastic uptick in recent days for inbound SSH connections to many of our servers. These connection are attempting to connect to our servers as ROOT and are coming from IP addressed appearing to be mostly overseas. They number in the thousands of connections. While we are confident in the strength of our passwords, as you know with enough effort....... My questions to this group are: * Is anyone else seeing this?
Our main administrative system (AIX) has had more than 350k failed ssh logins in the last 6 months. That's around 2000 a day. We've written a custom "shell" that everyone uses. It's your /etc/password shell entry and acts like a "login handler passthrough". It adds some features like: 1) Per-user IP restrictions. Suzy can SSH in from her computer's IP only. Her login won't work from John's computer IP, and vice versa. So, even if Suzy's password is compromised, it only works from her desk. 2) Concurrent session restrictions: Suzy is able to have 3 concurrent sessions from 2 different IPs (rule #1 permitting). Or, Suzy can have 2 concurrent sessions, but only from the same IP. There are more rules than mentioned, but you get the idea. Assuming all these rules are met, your session is then handed off to your preferred shell (bash, ksh, etc) and your session acts like normal.
* Are you doing anything to address this? We are contemplating blocking SSH inbound on our firewall and requiring any external SSH connection to first connect to our VPN. In some ways it seems excessive and maybe even unsustainable. On the other hand, protecting our servers is important as you well know.
On some of our linux servers, we're using an open-source piece of software (the name escapes me at the moment, I'm not the unix/linux guy) that does SSH login throttling. So, if there are $x failed attempts in $y seconds, that IP gets blocked for 10 minutes. Obviously, this won't work well for distributed brute-force attempts, but it's all about security in layers.
Any advice, feedback, or suggestion of best practice is welcome.
Within the same vein as the SSH login throttling, we're looking at turning on login throttling for our enterprise directory services (LDAP). Most of our unix/linux servers don't authenticate against LDAP, but we have a growing number of other services that do either directly or through Shibboleth.
Best & thanks! ...Justin ________________________ Justin Sipher Chief Technology Officer Skidmore College Saratoga Springs, NY jsipher () skidmore edu <mailto:jsipher () skidmore edu> 518-580-5909
-- Michael J. Wheeler Assistant Director, Systems and Networking Pittsburg State University Phone: 620-235-4610 E-mail: mwheeler () pittstate edu
Current thread:
- significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
- Re: significant incoming SSH volume Scott Beardsley (Mar 19)