Re: Dictionary sshd attacks
From: James T (turajb_at__NOSPAM_hoflink.com)
Date: 07/17/05
- Next message: Proteus: "open ports question (nmap scan)"
- Previous message: Brian Hall: "Re: Dictionary sshd attacks"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Nikolai Försterling: "Re: Dictionary sshd attacks"
- Reply: Nikolai Försterling: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Jul 2005 14:19:59 -0400
On Sat, 16 Jul 2005 20:38:04 +0000, Wayne wrote:
> Is it possible to have sshd or some other daemon recognize
> a dictionary attack in progress, and to "shun" that IP for
> (say) an hour? The machanics seem simple to me: A log file
> reader spots the pattern in real time and issues an iptables
> command to DROP port 22 packets from the identified IP address,
> sends a syslog message, and creates an "at" job to remove the
> iptabes rule after some period of time. A more sophisticated
> tool could continue to monitor the logs for the attack and only
> reactivate the port after X minutes after the attack ends.
>
> I know I've read of such tools someplace before, but I can't
> remember any details.
>
> Some of my servers have been under attack for many months now.
> Sometimes twice a day, hundreds to thousands of ssh connections
> are attempted using a dictionary of common usernames.
>
> I have been saving the logs but no pattern has emerged yet
> from the IP addresses. Of course they don't get in (yet),
> but I'd like a more automatic way to respond to such attacks.
>
> Lessons learned:
>
> Have account naming policies that forbid usernames that commonly
> appear in dictionary attacks.
>
> Make sure *all* system accounts are disabled, and where possible
> have invalid shells (such as /bin/false or /sbin/nologin).
>
> Never allow sshd (or other) root logins.
>
> Configure the PAM "su" policy to only allow a few select users to
> succeed with the su command. (The members of group "wheel".) Other
> users who attempt "su" will fail even if they know the password.
>
> -Wayne
I have elected to take a different approach.
1 - in the SSH config file, I restrict login ability to specific grouped
users, specific usernames or specific IP/subnets (this depends upon the
type of system I'm protection and who uses it)
2 - I have a perl script cronned to run once a minute which tails the SSH
log and looks for login failures. If a certain number of failures are
seen on a specific IP address or against a specific username, it puts the
user's IP address(es) in the hosts.deny file (this restricting their login
access). It also logs the blocking, and emails me info about the
offending IP address or username being used - so I can review further if I
want to.
3 - If I should want to unblock the blocked IPs on a specific box, I have
another script which can be cronned to auto-unblock IPs after X time or
can be used manually to unblock a specific IP/subnet.
With this home grown solution in place, I never have to worry about those
types of ssh attacks. I mostly address unblock requests manually.
With the amount of users on my servers, it is not much work at all. I can
also customize the solution as things situations change.
I hope this helps give you an alternate solution to your issue.
James
- Next message: Proteus: "open ports question (nmap scan)"
- Previous message: Brian Hall: "Re: Dictionary sshd attacks"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Nikolai Försterling: "Re: Dictionary sshd attacks"
- Reply: Nikolai Försterling: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
