Re: Dictionary sshd attacks
From: Chris Cox (ccox_nopenotthis_at_airmail.net)
Date: 07/17/05
- Next message: Alexander Clouter: "Re: Iptables - attack - please help"
- Previous message: Brownout: "Re: Too many socket connections"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Tobias Klausmann: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Jul 2005 22:16:13 -0500
Wayne wrote:
> Is it possible to have sshd or some other daemon recognize
> a dictionary attack in progress, and to "shun" that IP for
> (say) an hour? The machanics seem simple to me: A log file
> reader spots the pattern in real time and issues an iptables
> command to DROP port 22 packets from the identified IP address,
> sends a syslog message, and creates an "at" job to remove the
> iptabes rule after some period of time. A more sophisticated
> tool could continue to monitor the logs for the attack and only
> reactivate the port after X minutes after the attack ends.
>
> I know I've read of such tools someplace before, but I can't
> remember any details.
Why not shut things down for a while after so many failed
attempts from the IP? I would think that would be sufficient.
>
> Some of my servers have been under attack for many months now.
> Sometimes twice a day, hundreds to thousands of ssh connections
> are attempted using a dictionary of common usernames.
Make sure you protect your SSH to allow only key'd access, or
at least minimize the number of valid users.
>
> I have been saving the logs but no pattern has emerged yet
> from the IP addresses. Of course they don't get in (yet),
> but I'd like a more automatic way to respond to such attacks.
>
> Lessons learned:
>
> Have account naming policies that forbid usernames that commonly
> appear in dictionary attacks.
>
> Make sure *all* system accounts are disabled, and where possible
> have invalid shells (such as /bin/false or /sbin/nologin).
>
> Never allow sshd (or other) root logins.
>
> Configure the PAM "su" policy to only allow a few select users to
> succeed with the su command. (The members of group "wheel".) Other
> users who attempt "su" will fail even if they know the password.
These are all good ideas.
- Next message: Alexander Clouter: "Re: Iptables - attack - please help"
- Previous message: Brownout: "Re: Too many socket connections"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Tobias Klausmann: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
