Re: OpenSSH - Dictionary Attacks
From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 29 May 2005 01:13:31 GMT
On 2005-05-28, Johhny <email@example.com> wrote:
> I am currently looking for a good / reliable solution that I could use
> to implement a way in which we could drop connections that are
> attempting to dictionary attack the servers ssh daemon.
> We often have customers that have several thousand entries in their log
> files where people have tried known usernames and a common list of
> passwords. Because we have a fairly secure (complex) password procedure
> in place they dont generally break in. However the customers getting on
> our case about it is annoying.
> Does anyone know of a solution that would facilite something like that?
There's no built-in mechanism in sshd to do this, however there are a
* Use a log watcher and add offending source addresses to either a
firewall rule or, if sshd was built with tcpwrappers, hosts.deny.
I have had a report that dropping the connection early as tcpwrappers
does will cause some of the automated tools to give up.
* If you have built sshd to use PAM, one option is to use pam_abl to
blacklist source IP addresses after N bad login attempts:
* You could write your own mechanism in C and compile it in. There's a
hook in auth.c (grep for CUSTOM_FAILED_LOGIN) that is called for each
bad login. (If you need the socket address rather than the DNS name/text
IP then you can do getpeername(packet_get_connection_in(), ...).
If you do any of these things, you run a decent chance of locking
yourself out at some point, so you may wish to check that you have
adequate out-of-band access before starting :-)
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.