JP Vossen on 27 Jul 2007 22:20:44 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ssh brute force attacks & real time offending IP lists 

Date: Tue, 24 Jul 2007 14:29:24 -0400
From: "Mark Baker" <mark.baker@hxti.com>
Subject: [PLUG] ssh brute force attacks & real time offending IP lists

I am in the middle of writing a script that takes the ip addresses that
are trying to brute force access to my servers, as detected by the
sshdfilter script, and ‘shuns’ them on my Cisco firewall. I was
contemplating appending the ip addresses to an html page in real time
and was wondering if anyone else would be interested in the data? 

I would also be interested in receiving data from other users of PLUG on
who is attacking their networks so that I can proactively block them
from mine before they have a chance to cause trouble.  What do you guys
think about this?  Is it worth the trouble or would it cause problems
that I am not seeing? I suppose if someone maliciously posted AOL proxy
ip or another like that it would cause problems.

I'm surprised that no one has mentioned DShield, particularly the "Highly Predictive Blacklist" (http://www.dshield.org/hpbinfo.html), the combination of which is essentially what you just described.

Very briefly, you dump your firewall's denied external traffic logs to DShield and they trend it, providing all kinds of interesting data. You may anonymize your data, but if you do so you are unable to use their automated Fightback system, which complains to the attacker's ISP.

HPB goes a step further and provides you with a customized blacklist that you use to block ports, again much as you describe.

DShield and SANS have some very cool evil traffic stats and other information, they are worth a look when you have some time to absorb it.


~~~~~~~
From: "Bill Hance" <bill@billhance.com>

> If you have proper passwords, that wont be guessed in a million years,
> why worry?  Let the kiddies play with their scripts...    :-)

Using good passwords or better yet SSH keys is a Good Idea, but it doesn't help when there is a bug or exploit in SSH itself, which has happened (only once I believe, but...). Yes, this is unlikely, but I am occupationally paranoid. Port knocking, mentioned elsewhere, is one way to mitigate this. Using a non-standard port is another. Both methods have pros and cons. I use non-standard ports because I'm lazy and it's easy, and I don't have to look at a zillion log messages caused by the kiddies. I don't even have to change my SSHD, I just arrange the firewall to port-forward some_high_port_that_isn't_22 on the outside to port 22 on the SSH server.

Using either solution, you may have problems if your client location has strict firewall egress rules. (I'm amazed that in this day and ago more places do *not* have them.) That is, your non-standard port, and/or port knocking ports may be blocked at the (e.g., corporate) firewall.

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug