Re: SSH bruteforce on its way...
From: Paul Robertson (compuwar_at_gmail.com)
Date: Thu, 20 Oct 2005 10:23:47 -0400 To: Volker Tanger <firstname.lastname@example.org>
On 10/19/05, Volker Tanger <email@example.com> wrote:
I've been casually watching the changes in SSH worms and brute force
attempts over the last couple of years, and these are my additions:
> My recommendations to discourage/prevent this SSH bruteforcing:
> 1.) Use key authentication and disable plain password logins. This
> way password bruteforcing itself is practically impossible.
> 2.) Running SSH on a port NOT tcp/22 - okay, that's just obfuscation,
> but false connects/scans dropped from a some attacking hosts an
> hour to zero.
> 3.) Another possibility to prevent (or at least: seriously delay)
> bruteforcing to be done successfully is to inhibit multiple
> connects within a given timeframe. See
> 4.) And of course: monitoring! Especially for illegal user logins or
> unsuccessful passwords.
5.) Set the server to only allow SSHv2 connections. A lot of early
and simple tools and worms fail if they can't get a v1 negotiation.
(Protocol 2 in the config file.)
6.) Use AllowUsers to limit which accounts can use SSH.
7.) use AllowHosts to limit which systems can SSH if possible.
8.) Set PermitRootLogin to no. You want per-user audit anyway.
> On the other side: has anyone been infected and/or had the chance to
> inspect the rootkit and/or the aims the people running the botnet try
> to achieve?
I haven't been infected, and the times I've been promised copies, they
haven't come through. I expect though it's DDoS and spam relay
related. I've also never heard back from any reports I've made for
servers which were spewing this stuff at my sshd.