Re: Dictionary sshd attacks

From: Chris Cox (ccox_nopenotthis_at_airmail.net)
Date: 07/17/05


Date: Sat, 16 Jul 2005 22:16:13 -0500

Wayne wrote:
> Is it possible to have sshd or some other daemon recognize
> a dictionary attack in progress, and to "shun" that IP for
> (say) an hour? The machanics seem simple to me: A log file
> reader spots the pattern in real time and issues an iptables
> command to DROP port 22 packets from the identified IP address,
> sends a syslog message, and creates an "at" job to remove the
> iptabes rule after some period of time. A more sophisticated
> tool could continue to monitor the logs for the attack and only
> reactivate the port after X minutes after the attack ends.
>
> I know I've read of such tools someplace before, but I can't
> remember any details.

Why not shut things down for a while after so many failed
attempts from the IP? I would think that would be sufficient.

>
> Some of my servers have been under attack for many months now.
> Sometimes twice a day, hundreds to thousands of ssh connections
> are attempted using a dictionary of common usernames.

Make sure you protect your SSH to allow only key'd access, or
at least minimize the number of valid users.

>
> I have been saving the logs but no pattern has emerged yet
> from the IP addresses. Of course they don't get in (yet),
> but I'd like a more automatic way to respond to such attacks.
>
> Lessons learned:
>
> Have account naming policies that forbid usernames that commonly
> appear in dictionary attacks.
>
> Make sure *all* system accounts are disabled, and where possible
> have invalid shells (such as /bin/false or /sbin/nologin).
>
> Never allow sshd (or other) root logins.
>
> Configure the PAM "su" policy to only allow a few select users to
> succeed with the su command. (The members of group "wheel".) Other
> users who attempt "su" will fail even if they know the password.

These are all good ideas.



Relevant Pages

  • Dictionary sshd attacks
    ... tool could continue to monitor the logs for the attack and only ... I have been saving the logs but no pattern has emerged yet ... Never allow sshd root logins. ...
    (comp.os.linux.security)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... > deleting the logs he cannot do it. ... > If this box of yours is a web server to the world, ... > use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • FW: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • Re: Looking for help against Chinese Hacking Team
    ... Nowaday we can't find clue for attack. ... Finding weak web source and Fix validation problem is best way. ... somebody will have to examine the web server logs to look ... Security Trends Report from Cenzic ...
    (Pen-Test)