John Von Essen on 9 Dec 2008 21:00:52 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders

As long as you have strong password policies, you'll be fine.

Heres a different take... If alot of people start locking down SSH via 
firewall or other IP rules, the BOTS will move on to another machine. If 
you follow that logic, the brute force of the attack will get more brute 
for the remaining hosts that leave SSH wide open from an IP access 
standpoint since the number of bots is unchanged while the number of 
likely targets decreases.

But... if we all leave SSH open with strong passwords, the brute force 
bots will have a ton of hosts to waste their time on, and eventually brute 
force ssh will become boring and a waste of cpu time.

Ok, on a more realistic note. What about applying some anti-spam tactics. 
Since the IP information specific to one machine is useless, what if we 
could gather global brute force ssh IP info and put it into a shared 
public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP can be 
checked against this database for a global hit count of failed ssh login 
attempts. People running ssh throughout the world would compile their ssh 
daemon to report failed login attempts (especially attempts for logins 
that dont exist) to this distributed public database.

Its sounds like overkill, but in my opinion there is chain of events that 
follows ssh brute force attacks. In my experience, alot of the spam that 
gets through filters is that which originated from a server somewhere that 
got silentyl brute forced, and is now quietly delivering 500 or so spam 
emails a day.

Make this new sshd feature default in all new linux releases, and in a 
year... poof.... ssh attacks will be a memory.


On Tue, 9 Dec 2008, Brian Vagnoni wrote:

> ----- Original Message -----
> From: Alex Valentine
>> Problem solved.
> ----- Original Message -----
>> From the 2nd link.
> They are talking bot***NET*** level attacks. But still thanks.
> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing attacks on SSH servers usually count the number of failed log-in attempts from one IP address and enter addresses that exceed a given threshold on a blacklist (usually /etc/hosts.deny) or as a rule in the firewall. The system subsequently blocks any further log-in attempts from blacklisted remote IP addresses.
> The distributed method prevents the tools from flagging attackers after only a few log-in attempts. Depending on the scale of the distributed attack, several thousand attempts to log into an account can be made. The attacks are suspected to be carried out by botnets.
> --------------------------------------------------
> Brian Vagnoni
> PGP Digital Fingerprint
> F076 6EEE 06E5 BEEF EBBD  BD36 F29E 850D FC32 3955
> --------------------------------------------------
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --