RE: Advice on dealing with scripted SSH attacks?



There's a nice package called "fail2ban" on Sourceforge. It works with
the logs of various programs including ssh, apache, etc. and uses
iptables or hosts.deny to block IPs for a period after a specified
number of failures.

It's written in python and is pretty easy to configure for other
firewalls and logs.

-Seren Thompson

-----Original Message-----
From: Zembower, Kevin [mailto:kzembowe@xxxxxxxxxx]
Sent: Tuesday, March 28, 2006 7:13 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Advice on dealing with scripted SSH attacks?

What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in
attempts.

Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password.

Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.

Thanks for your advice.

-Kevin Zembower



Relevant Pages

  • Advice on dealing with scripted SSH attacks?
    ... What's the current advice on dealing with scripts that repeatedly try to ... log onto SSH using a list of common usernames and 'password' for the ... going to have the unfortunate combination of a common user name and a ...
    (SSH)
  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • Re: OT: Safe to access SSH server from work?
    ... on any host and never been terribly worried about the state of the logs as ... login, and the only thing that such accounts can run is sftp. ... IP based ACLs within the ssh configuration to help ensure that internal ... only a miniscule incremental change to insist on a different port. ...
    (Debian-User)
  • RE: How to display IP of ssh user in message?
    ... How to display IP of ssh user in message? ... - Have a warning banner enabled at log in. ... do a lastb and it logs it by, ...
    (RedHat)
  • Re: how to react on ssh attacks?
    ... > to view the logs. ... The huge amount of ssh probes that have been going on for the last year or ... enforced routine password changes and password selection rules since the ...
    (Fedora)