Re: significant incoming SSH volume

["Michael J. Wheeler" <mwheeler () PITTSTATE EDU>]

Don,

Thank you, fail2ban is what I was thinking of. We use it for some of our
public facing linux boxes.

--
Michael J. Wheeler
Assistant Director, Systems and Networking
Pittsburg State University
Phone:  620-235-4610
E-mail: mwheeler () pittstate edu

On 3/18/2010 1:04 PM, Miller, Don C. wrote:
> At the University of Idaho we do the same thing and Michael mentions
> although we are using fail2ban (a while ago we were using the tcp
> wrappers denyhosts app). Fail2ban uses iptables with the benefit of
> notifying admins via email. It can also use apache error logs.
>
> Don Miller
>
> University of Idaho
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Michael Horne
> *Sent:* Tuesday, March 16, 2010 1:24 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] significant incoming SSH volume
>
> All,
>
> We have a single SSH gateway for all inbound ssh traffic to the college.
> Single point of access and control for all inbound service.
>
> We also have deployed sshdfilter on the server as well and has worked
> great for us to date.
>
> Brute force attacks get routed to /dev/null after x amount of failed
> attempts configurable to your liking.
>
> A google search will bring up the source. It is a bit dated and requires
> updating when newer version of SSH are deployed but it mitigates a ton
> of headaches.
>
> Michael Horne
>
> Network Engineer
>
> Franklin W Olin College of Engineering
>
> Olin Way Needham MA 02492
>
> Phone 1-781-292-2438
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Justin Sipher
> *Sent:* Tuesday, March 16, 2010 4:07 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] significant incoming SSH volume
>
> Hello all. We have seen a drastic uptick in recent days for inbound SSH
> connections to many of our servers. These connection are attempting to
> connect to our servers as ROOT and are coming from IP addressed
> appearing to be mostly overseas. They number in the thousands of
> connections. While we are confident in the strength of our passwords, as
> you know with enough effort.......
>
> My questions to this group are:
>
>     * Is anyone else seeing this?
>
>     * Are you doing anything to address this? We are contemplating
>       blocking SSH inbound on our firewall and requiring any external
>       SSH connection to first connect to our VPN. In some ways it seems
>       excessive and maybe even unsustainable. On the other hand,
>       protecting our servers is important as you well know.
>
> Any advice, feedback, or suggestion of best practice is welcome.
>
> Best & thanks!
>
> ...Justin
>
> ________________________
> Justin Sipher
> Chief Technology Officer
> Skidmore College
> Saratoga Springs, NY
> jsipher () skidmore edu <mailto:jsipher () skidmore edu>
> 518-580-5909