Re: OpenSSH - Dictionary Attacks

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 05/29/05


Date: 29 May 2005 01:13:31 GMT

On 2005-05-28, Johhny <exter_c@hotmail.com> wrote:
> I am currently looking for a good / reliable solution that I could use
> to implement a way in which we could drop connections that are
> attempting to dictionary attack the servers ssh daemon.
>
> We often have customers that have several thousand entries in their log
> files where people have tried known usernames and a common list of
> passwords. Because we have a fairly secure (complex) password procedure
> in place they dont generally break in. However the customers getting on
> our case about it is annoying.
>
> Does anyone know of a solution that would facilite something like that?

There's no built-in mechanism in sshd to do this, however there are a
few options:

* Use a log watcher and add offending source addresses to either a
firewall rule or, if sshd was built with tcpwrappers, hosts.deny.
I have had a report that dropping the connection early as tcpwrappers
does will cause some of the automated tools to give up.

* If you have built sshd to use PAM, one option is to use pam_abl to
blacklist source IP addresses after N bad login attempts:
        http://www.hexten.net/sw/pam_abl/index.mhtml

* You could write your own mechanism in C and compile it in. There's a
hook in auth.c (grep for CUSTOM_FAILED_LOGIN) that is called for each
bad login. (If you need the socket address rather than the DNS name/text
IP then you can do getpeername(packet_get_connection_in(), ...).

If you do any of these things, you run a decent chance of locking
yourself out at some point, so you may wish to check that you have
adequate out-of-band access before starting :-)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.