|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Brute force SSH attack confounds defenders
|
As long as you have strong password policies, you'll be fine.
Heres a different take... If alot of people start locking down SSH via
firewall or other IP rules, the BOTS will move on to another machine. If
you follow that logic, the brute force of the attack will get more brute
for the remaining hosts that leave SSH wide open from an IP access
standpoint since the number of bots is unchanged while the number of
likely targets decreases.
But... if we all leave SSH open with strong passwords, the brute force
bots will have a ton of hosts to waste their time on, and eventually brute
force ssh will become boring and a waste of cpu time.
Ok, on a more realistic note. What about applying some anti-spam tactics.
Since the IP information specific to one machine is useless, what if we
could gather global brute force ssh IP info and put it into a shared
public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP can be
checked against this database for a global hit count of failed ssh login
attempts. People running ssh throughout the world would compile their ssh
daemon to report failed login attempts (especially attempts for logins
that dont exist) to this distributed public database.
Its sounds like overkill, but in my opinion there is chain of events that
follows ssh brute force attacks. In my experience, alot of the spam that
gets through filters is that which originated from a server somewhere that
got silentyl brute forced, and is now quietly delivering 500 or so spam
emails a day.
Make this new sshd feature default in all new linux releases, and in a
year... poof.... ssh attacks will be a memory.
-John
On Tue, 9 Dec 2008, Brian Vagnoni wrote:
> ----- Original Message -----
> From: Alex Valentine
>> Problem solved.
>>
>> http://denyhosts.sourceforge.net/
> ----- Original Message -----
>
>> From the 2nd link.
>
> They are talking bot***NET*** level attacks. But still thanks.
>
> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing attacks on SSH servers usually count the number of failed log-in attempts from one IP address and enter addresses that exceed a given threshold on a blacklist (usually /etc/hosts.deny) or as a rule in the firewall. The system subsequently blocks any further log-in attempts from blacklisted remote IP addresses.
>
> The distributed method prevents the tools from flagging attackers after only a few log-in attempts. Depending on the scale of the distributed attack, several thousand attempts to log into an account can be made. The attacks are suspected to be carried out by botnets.
>
>
> --------------------------------------------------
> Brian Vagnoni
> PGP Digital Fingerprint
> F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
> --------------------------------------------------
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|