Nice Slashdot article of interest

From: David (shadoweyez_at_hotpop.com)
Date: 07/17/05 

Date: Sun, 17 Jul 2005 00:35:33 GMT

I just saw this article on Slashdot:
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/
I believe there was a posting on this list regarding this issue a few times.

I have an ssh box and I have noticed these attempts in my logs.
Sometimes, you can port scan the IP's of the attacking hosts to see what
type of OS (usually linux in my experience) and services they are
running, and reporting abuses is a good way to maybe stop at least a few
of the script_kiddies.

My bet is that there are a few people out there looking for ssh boxes to
make mischief on or put their "stuff" on and are using programs like
sshscan and hydra to find and target all of our servers. Three things
that would stop this kind of attack, and it has nothing to do with
changing ports.
        1. Deny root login - this should be standard practice anyway.
        2. Use non-standard user names. Names like admin, apache, and sql
are all standard and are common user name targets. Consider the
AllowUser name1,name2,name3... line in the sshd_config file to _only_
allow specific user names in.
        3. Use strong passwords, which I'm sure anyone reading this knows
what a strong password is. Strong passwords are almost _never_ in
the dictionaries.

If these are followed, there is practically no chance anyone would break
into your server. The machine would turn to dust before they could try
every combination of 8 digit user name and 10 digit alpha-numeric password!

Relevant Pages

  • Analysis of SSH crc32 compensation attack detector exploit
    ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
    (Incidents)
  • Re: Agent Forwarding Question for the list
    ... I provided a suggestion (invoking ssh with -vvv) as to how to further troubleshoot the problem. ... I was determined to ask the experts in case it was a common mistake or something that simply is not possible under openssh. ... Say in the ideal setup for development servers I'd have a cronuser, scriptuser, monitoruser, cvsuser, and root all configured with my public key and that I could jump in and out of each not only from my own Linux Desktop, but through each user to each user on other servers in the development chain. ... After reading all the documentation and FAQs I could find, I had assumed ssh-agent on the desktop and agent forwarding on the servers would be sufficient, but something is blocking the forwarding, or I'm way off and this isn't how it's meant to work. ...
    (SSH)
  • Weird networking problem
    ... We're experiencing som extremely weird networking problems at our ... I was unable to SSH into the Sun servers at our ... been changed on the switch, the firewall, servers or office PC's) ...
    (comp.sys.sun.admin)
  • Re: Anti-virus Programs
    ... As for SMB/CIFS filesystems shared with Windows systems I use Clamav to ... SSH vulnerability. ... users who have remote shell access. ... But poorly setup mail servers are possibly the worst because your ...
    (Fedora)
  • RE: ssh login protection
    ... Then allow SSH from that server to yours. ... I often ssh into two mail servers from dialup(thus dynamic ... I specify which IPs that can ssh into the two ...
    (Security-Basics)