Re: SSH bruteforce on its way...

From: Paul Robertson (compuwar_at_gmail.com)
Date: 10/20/05

  • Next message: Tim Kennedy: "Re: [incidents] Re: SSH bruteforce on its way..."
    Date: Thu, 20 Oct 2005 10:23:47 -0400
    To: Volker Tanger <vtlists@wyae.de>
    
    

    On 10/19/05, Volker Tanger <vtlists@wyae.de> wrote:
    > Greetings!

    Hi,

    I've been casually watching the changes in SSH worms and brute force
    attempts over the last couple of years, and these are my additions:

    >
    > My recommendations to discourage/prevent this SSH bruteforcing:
    >
    > 1.) Use key authentication and disable plain password logins. This
    > way password bruteforcing itself is practically impossible.
    >
    > 2.) Running SSH on a port NOT tcp/22 - okay, that's just obfuscation,
    > but false connects/scans dropped from a some attacking hosts an
    > hour to zero.
    >
    > 3.) Another possibility to prevent (or at least: seriously delay)
    > bruteforcing to be done successfully is to inhibit multiple
    > connects within a given timeframe. See
    > http://www.debian-administration.org/articles/187
    >
    > 4.) And of course: monitoring! Especially for illegal user logins or
    > unsuccessful passwords.

    5.) Set the server to only allow SSHv2 connections. A lot of early
    and simple tools and worms fail if they can't get a v1 negotiation.
    (Protocol 2 in the config file.)

    6.) Use AllowUsers to limit which accounts can use SSH.

    7.) use AllowHosts to limit which systems can SSH if possible.

    8.) Set PermitRootLogin to no. You want per-user audit anyway.

    > On the other side: has anyone been infected and/or had the chance to
    > inspect the rootkit and/or the aims the people running the botnet try
    > to achieve?

    I haven't been infected, and the times I've been promised copies, they
    haven't come through. I expect though it's DDoS and spam relay
    related. I've also never heard back from any reports I've made for
    servers which were spewing this stuff at my sshd.

    Paul

    --
    www.compuwar.net
    

  • Next message: Tim Kennedy: "Re: [incidents] Re: SSH bruteforce on its way..."

    Relevant Pages

    • Re: Trouble with X11 over SSH on Mandriva 2010.0
      ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
      (comp.os.linux.networking)
    • Re: Apache Software Foundation Server compromised, resecured. (fwd)
      ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
      (FreeBSD-Security)
    • Re: FreeBSD Crash without Errors, Warnings, or Panics
      ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
      (freebsd-hackers)
    • Re: restrict ssh access
      ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
      (comp.security.ssh)
    • Re: SSH as root
      ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
      (SSH)