Re: [Full-Disclosure] Counteroffensive help on bruteforce attacks on SSHD

Valdis.Kletnieks_at_vt.edu
Date: 10/29/04

Next message: Andrew Poodle: "RE: [Full-Disclosure] Slightly off-topic: www.georgewbush.com"

Previous message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.048] OpenPKG Security Advisory (squid)"
In reply to: Andrew Poodle: "[Full-Disclosure] Counteroffensive help on bruteforce attacks on SSHD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Andrew Poodle <andrewp@IRW.co.uk>
Date: Fri, 29 Oct 2004 12:51:15 -0400

On Fri, 29 Oct 2004 14:34:21 BST, Andrew Poodle said:
> I'm seeing lots of ssh login attempts with user=root from two or three
> IP addresses, after I blocked access at the firewall based on host.

> Can anyone point me at some good resources where I can bone up and learn
> more about counter-measures.... I'm not looking to take this guy out
> (although would'nt be a bad thing).. But would be interesting to find
> out more.

1) set your firewall up *beforehand* to deny all SSH connects except from
hosts/networks that you need inbound SSH from. If you're never going to SSH
in except from 3 specific machines and one dial-up net, just allow those 3
machines and the /24 or whatever that the dial-up uses.

2) In your sshd_config file, "PermitRootLogin no" and "PermitEmptyPasswords no"
will help security a lot. If you're ambitious, you might consider forcing
the use of RSA keys and "PasswordAuthentication no". Note that this *DOES*
require that the hosts you're ssh'ing in from *also* be secure (because if an
attacker gets the private key on that machine, they just got a login on
your box too...)

3) If you're ambitious, drop the network admin a "Please whack your user who
has a compromised box" (almost *all* of the recent plague of SSH scans have been
from ancient, unsecured, unpatched boxes). Offer void in Korea or anyplace else
that doesn't have a net admin who gives a damn, YMMV, etc.. ;)

4) That should stop the anklebiters. Deterrence measures for more determined
attackers are a separate issue. ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: stored

Next message: Andrew Poodle: "RE: [Full-Disclosure] Slightly off-topic: www.georgewbush.com"

Previous message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.048] OpenPKG Security Advisory (squid)"
In reply to: Andrew Poodle: "[Full-Disclosure] Counteroffensive help on bruteforce attacks on SSHD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: [Full-Disclosure] Automated SSH login attempts? Related Cross post from incidents.org
... [Intrusions] Linux SSH scanning - test/guest ... There is also a multithreaded SSH bruteforcer called "haita" ... Automated SSH login attempts? ...
(Full-Disclosure)
Re: help:tool to bruteforce ssh connections
... There are lots of SSH login bruteforcers available. ... SSH Brute Forcer - A UNIX/Linux bruteforcer in shell script format. ... InfoSec Institute ...
(Security-Basics)
Re: Forking and SSH connections
... When I remove it (i.e. the scheduler becomes a forking ... Since forked sibling processes don't share this state ... Setting up an SSH login every ...
(comp.lang.perl.misc)
Re: how to use X window server/client mode?
... I know this looks like a dump question ... ... I login to gnome, ssh login ... If you add the -X flag to ssh, ssh will automatically set $DISPLAY on ...
(freebsd-questions)
Re: Temporarily blocking ports
... if someone repeatedly tries to do a SSH login? ... I use ipfw as firewall... ... If you have connections coming in from certain ...
(freebsd-questions)