Re: ssh dictionary attacks



Sheldon T. Hall - DO NOT MAIL wrote:
On Tue, 15 Aug 2006 06:53:56 -0700, Captain Dondo
<yan@xxxxxxxxxxxxxxxx> wrote:

This is something that comes up once in a while... I've been subject to
them as well.

I've come across a couple of projects that build a 'tarpit' for attackers
- the first one is for SMTP and the second one is more generic.

I've often wondered if one couldn't use this to at least slow down a
dictionary attack on ssh. It wouldn't do much good for a distributed
attack, but it might for an attack comming from a few hosts.

Any thoughts? Comments? This is sort of a curiosity quesiton for me; I
don't know enough to really make a solid judgement if this would be useful.

http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html
http://labrea.sourceforge.net/labrea-info.html

The easiest way to secure your server's SSH port is to just firewall
it completely from the 'net, and have a portknocking arrangement that
selectively opens the SSH port to the IP address that correctly
knocked on the secret port.

Of course, you'd still want all the usual SSH security stuff, too:
restrict the access list to particular users, disallow direct root
logins, require keys, etc.

-Shel


How do you get the ssh client to "knock first before entering"?
.



Relevant Pages

  • Analysis of SSH crc32 compensation attack detector exploit
    ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
    (Incidents)
  • Patching 4.4-RELEASE against SSHv1 exploit
    ... an SSH exploit has been specifically tuned to attack machines running ... FreeBSD 4.x and certain versions of SSH. ... >detector vulnerability to remotely compromise a Red Hat Linux ... >used against systems running OpenSSH 2.1.1 servers which suffer from ...
    (FreeBSD-Security)
  • Possible DDos Network Creation with ssh crc exploit
    ... Possible DDos Network Creation with ssh crc exploit ... "SSH crc32 compensation attack detector exploit" ... At this point syslog stopped logging attack, ... I suspect someone is setting up a DDos network, ...
    (Incidents)
  • Re: How do I stop bruteforce SSH login attempt?
    ... attackwith a bruteforce SSH login - e.g., ... Also 'man ssh_config' will give more information how to restrict ssh access ... # a limited number of packets to avoid a denial of service attack. ...
    (Ubuntu)
  • Re: Blocking attacks from spoofed IP addresses
    ... IP addresses (making the consolidated attack appear to be coming from ... everybody else's ssh server. ... root logins and I disabled root logins through ssh, ... Disable password ...
    (comp.os.linux.networking)