Re: Dictionary sshd attacks

From: Chris Cox (ccox_nopenotthis_at_airmail.net)
Date: 07/17/05


Date: Sat, 16 Jul 2005 22:16:13 -0500

Wayne wrote:
> Is it possible to have sshd or some other daemon recognize
> a dictionary attack in progress, and to "shun" that IP for
> (say) an hour? The machanics seem simple to me: A log file
> reader spots the pattern in real time and issues an iptables
> command to DROP port 22 packets from the identified IP address,
> sends a syslog message, and creates an "at" job to remove the
> iptabes rule after some period of time. A more sophisticated
> tool could continue to monitor the logs for the attack and only
> reactivate the port after X minutes after the attack ends.
>
> I know I've read of such tools someplace before, but I can't
> remember any details.

Why not shut things down for a while after so many failed
attempts from the IP? I would think that would be sufficient.

>
> Some of my servers have been under attack for many months now.
> Sometimes twice a day, hundreds to thousands of ssh connections
> are attempted using a dictionary of common usernames.

Make sure you protect your SSH to allow only key'd access, or
at least minimize the number of valid users.

>
> I have been saving the logs but no pattern has emerged yet
> from the IP addresses. Of course they don't get in (yet),
> but I'd like a more automatic way to respond to such attacks.
>
> Lessons learned:
>
> Have account naming policies that forbid usernames that commonly
> appear in dictionary attacks.
>
> Make sure *all* system accounts are disabled, and where possible
> have invalid shells (such as /bin/false or /sbin/nologin).
>
> Never allow sshd (or other) root logins.
>
> Configure the PAM "su" policy to only allow a few select users to
> succeed with the su command. (The members of group "wheel".) Other
> users who attempt "su" will fail even if they know the password.

These are all good ideas.