John Von Essen on 10 Dec 2008 08:57:05 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders


Well, hosting the distributed database of IPs is easy, the hard part  
is getting all the Linux distro's to recompile sshd to support it,  
and push it out into new releases.

I'm not a C/C++ developer, so I wouldn't know where to start with re- 
writing my sshd to do a proof of concept.

-John


On Dec 10, 2008, at 12:06 AM, Glenn Kelley wrote:

> John
>
> I love that idea.
>
> I wonder is this somethign we could start and push for?
> Maybe even if it was just something that we did locally - it might  
> grow.
>
> Push it out to other locations - even maybe make a few packages for
> common firewall apps such as PFSense
> Simple XML might be nice
>
> I can host if your interested - not sure how to go around making the
> beast however
> but I love the idea
>
> Glenn
>
>
> On Dec 10, 2008, at 12:00 AM, John Von Essen wrote:
>
>> As long as you have strong password policies, you'll be fine.
>>
>> Heres a different take... If alot of people start locking down SSH  
>> via
>> firewall or other IP rules, the BOTS will move on to another
>> machine. If
>> you follow that logic, the brute force of the attack will get more
>> brute
>> for the remaining hosts that leave SSH wide open from an IP access
>> standpoint since the number of bots is unchanged while the number of
>> likely targets decreases.
>>
>> But... if we all leave SSH open with strong passwords, the brute  
>> force
>> bots will have a ton of hosts to waste their time on, and eventually
>> brute
>> force ssh will become boring and a waste of cpu time.
>>
>> Ok, on a more realistic note. What about applying some anti-spam
>> tactics.
>> Since the IP information specific to one machine is useless, what if
>> we
>> could gather global brute force ssh IP info and put it into a shared
>> public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP
>> can be
>> checked against this database for a global hit count of failed ssh
>> login
>> attempts. People running ssh throughout the world would compile
>> their ssh
>> daemon to report failed login attempts (especially attempts for  
>> logins
>> that dont exist) to this distributed public database.
>>
>> Its sounds like overkill, but in my opinion there is chain of events
>> that
>> follows ssh brute force attacks. In my experience, alot of the spam
>> that
>> gets through filters is that which originated from a server
>> somewhere that
>> got silentyl brute forced, and is now quietly delivering 500 or so
>> spam
>> emails a day.
>>
>> Make this new sshd feature default in all new linux releases, and  
>> in a
>> year... poof.... ssh attacks will be a memory.
>>
>> -John
>>
>> On Tue, 9 Dec 2008, Brian Vagnoni wrote:
>>
>>> ----- Original Message -----
>>> From: Alex Valentine
>>>> Problem solved.
>>>>
>>>> http://denyhosts.sourceforge.net/
>>> ----- Original Message -----
>>>
>>>> From the 2nd link.
>>>
>>> They are talking bot***NET*** level attacks. But still thanks.
>>>
>>> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing
>>> attacks on SSH servers usually count the number of failed log-in
>>> attempts from one IP address and enter addresses that exceed a
>>> given threshold on a blacklist (usually /etc/hosts.deny) or as a
>>> rule in the firewall. The system subsequently blocks any further
>>> log-in attempts from blacklisted remote IP addresses.
>>>
>>> The distributed method prevents the tools from flagging attackers
>>> after only a few log-in attempts. Depending on the scale of the
>>> distributed attack, several thousand attempts to log into an
>>> account can be made. The attacks are suspected to be carried out by
>>> botnets.
>>>
>>>
>>> --------------------------------------------------
>>> Brian Vagnoni
>>> PGP Digital Fingerprint
>>> F076 6EEE 06E5 BEEF EBBD  BD36 F29E 850D FC32 3955
>>> --------------------------------------------------
>>> ____________________________________________________________________ 
>>> _______
>>> Philadelphia Linux Users Group         --        http:// 
>>> www.phillylinux.org
>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/ 
>>> plug-announce
>>> General Discussion  --   http://lists.phillylinux.org/mailman/ 
>>> listinfo/plug
>>>
>> _____________________________________________________________________ 
>> ______
>> Philadelphia Linux Users Group         --        http:// 
>> www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug- 
>> announce
>> General Discussion  --   http://lists.phillylinux.org/mailman/ 
>> listinfo/plug
>
> ______________________________________________________________________ 
> _____
> Philadelphia Linux Users Group         --        http:// 
> www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug- 
> announce
> General Discussion  --   http://lists.phillylinux.org/mailman/ 
> listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug