Educause Security Discussion mailing list archives

Re: significant incoming SSH volume

From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Wed, 17 Mar 2010 11:39:45 -0400

Yes, we used to see similar things.  However, I configured our IPS to
block them.  Basically the first attempt gets through and afterwards no
more do.  So instead of seeing hundreds per day, I see the first attempt
and they don't get through.  I still block the attackers though.  This
does not affect normally ssh sessions from users.  Also, this obviously
only appears on servers where ssh is open in the first place.  Having
users use vpn as much as possible, and only using direct ssh where you
must is helpful.

Dexter Caldwell
Joel Rosenblatt <joel () columbia edu> writes:

Yes .. we saw 116 addresses doing brute force attacks last night (list
attached) .. last number is the count of tries.

For your amusement, I've also included the list of ID's that were tried.

We monitor all logs and look for a successful login from any address that
is attacking, that way we know what IDs to zap.

Other than that, we ignore them :-)

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Tuesday, March 16, 2010 4:07 PM -0400 Justin Sipher
<jsipher () SKIDMORE EDU> wrote:

Hello all.  We have seen a drastic uptick in recent days for inbound

SSH connections to many of our servers.  These connection are attempting
to connect to

our servers as ROOT and are coming from IP addressed appearing to be

mostly overseas.  They number in the thousands of connections.  While we
are confident

in the strength of our passwords, as you know with enough effort.......

My questions to this group are:

Is anyone else seeing this?

Are you doing anything to address this?  We are contemplating blocking

SSH inbound on our firewall and requiring any external SSH connection to
first connect

to our VPN.  In some ways it seems excessive and maybe even

unsustainable.  On the other hand, protecting our servers is important as
you well know.


Any advice, feedback, or suggestion of best practice is welcome.

Best & thanks!
...Justin
________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu
  518-580-5909




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
- Re: significant incoming SSH volume Scott Beardsley (Mar 19)