Re: OpenSSH - Dictionary Attacks

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 05/29/05


Date: 29 May 2005 01:13:31 GMT

On 2005-05-28, Johhny <exter_c@hotmail.com> wrote:
> I am currently looking for a good / reliable solution that I could use
> to implement a way in which we could drop connections that are
> attempting to dictionary attack the servers ssh daemon.
>
> We often have customers that have several thousand entries in their log
> files where people have tried known usernames and a common list of
> passwords. Because we have a fairly secure (complex) password procedure
> in place they dont generally break in. However the customers getting on
> our case about it is annoying.
>
> Does anyone know of a solution that would facilite something like that?

There's no built-in mechanism in sshd to do this, however there are a
few options:

* Use a log watcher and add offending source addresses to either a
firewall rule or, if sshd was built with tcpwrappers, hosts.deny.
I have had a report that dropping the connection early as tcpwrappers
does will cause some of the automated tools to give up.

* If you have built sshd to use PAM, one option is to use pam_abl to
blacklist source IP addresses after N bad login attempts:
        http://www.hexten.net/sw/pam_abl/index.mhtml

* You could write your own mechanism in C and compile it in. There's a
hook in auth.c (grep for CUSTOM_FAILED_LOGIN) that is called for each
bad login. (If you need the socket address rather than the DNS name/text
IP then you can do getpeername(packet_get_connection_in(), ...).

If you do any of these things, you run a decent chance of locking
yourself out at some point, so you may wish to check that you have
adequate out-of-band access before starting :-)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


Relevant Pages

  • Mysterious SSH disconnects
    ... So I use this script: http://wiki.tcl.tk/9411 to create a connection via the proxy to my sshd on port 443 at home. ... As the other connections are ssh-wrapped all the way to the sshd, this is the only place the problem can really be isolated. ... I upgraded my versions of sshd on both the server and my laptop who's usually the client. ...
    (SSH)
  • Re: ssh under attack - sessions in accepted state hogging CPU
    ... my box is getting pegged because sshd is accepting some ... connections which are getting stuck in state and eating CPU. ... I know there's not much I can do about the brute force attacks, ... I did have MaxSessions set to a small number, but that essentially DoS'd my access to the server when enough sshd processes got hung. ...
    (freebsd-questions)
  • Re: Securing my Linux-pc? Worried....hacked?
    ... Subject: LogWatch for localhost.localdomain ... Connections: ... Starting sshd: ... rejecting connections on daemon MTA: load average: 14 ...
    (comp.os.linux.security)
  • Re: sshd with zombie process on FreeBSD 10.0-STABLE - workaround
    ... sshd processes. ... No associated socket with zombie process. ... I do not understand why these connections are remaining ...
    (freebsd-stable)
  • OpenSSH - Dictionary Attacks
    ... I am currently looking for a good / reliable solution that I could use ... to implement a way in which we could drop connections that are ... We often have customers that have several thousand entries in their log ... Because we have a fairly secure password procedure ...
    (comp.security.ssh)