|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Brute force SSH attack confounds defenders
|
Denyhosts already does this.
http://stats.denyhosts.net/stats.html
> Well, hosting the distributed database of IPs is easy, the hard part
> is getting all the Linux distro's to recompile sshd to support it,
> and push it out into new releases.
>
> I'm not a C/C++ developer, so I wouldn't know where to start with re-
> writing my sshd to do a proof of concept.
>
> -John
>
>
> On Dec 10, 2008, at 12:06 AM, Glenn Kelley wrote:
>
>> John
>>
>> I love that idea.
>>
>> I wonder is this somethign we could start and push for?
>> Maybe even if it was just something that we did locally - it might
>> grow.
>>
>> Push it out to other locations - even maybe make a few packages for
>> common firewall apps such as PFSense
>> Simple XML might be nice
>>
>> I can host if your interested - not sure how to go around making the
>> beast however
>> but I love the idea
>>
>> Glenn
>>
>>
>> On Dec 10, 2008, at 12:00 AM, John Von Essen wrote:
>>
>>> As long as you have strong password policies, you'll be fine.
>>>
>>> Heres a different take... If alot of people start locking down SSH
>>> via
>>> firewall or other IP rules, the BOTS will move on to another
>>> machine. If
>>> you follow that logic, the brute force of the attack will get more
>>> brute
>>> for the remaining hosts that leave SSH wide open from an IP access
>>> standpoint since the number of bots is unchanged while the number of
>>> likely targets decreases.
>>>
>>> But... if we all leave SSH open with strong passwords, the brute
>>> force
>>> bots will have a ton of hosts to waste their time on, and eventually
>>> brute
>>> force ssh will become boring and a waste of cpu time.
>>>
>>> Ok, on a more realistic note. What about applying some anti-spam
>>> tactics.
>>> Since the IP information specific to one machine is useless, what if
>>> we
>>> could gather global brute force ssh IP info and put it into a shared
>>> public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP
>>> can be
>>> checked against this database for a global hit count of failed ssh
>>> login
>>> attempts. People running ssh throughout the world would compile
>>> their ssh
>>> daemon to report failed login attempts (especially attempts for
>>> logins
>>> that dont exist) to this distributed public database.
>>>
>>> Its sounds like overkill, but in my opinion there is chain of events
>>> that
>>> follows ssh brute force attacks. In my experience, alot of the spam
>>> that
>>> gets through filters is that which originated from a server
>>> somewhere that
>>> got silentyl brute forced, and is now quietly delivering 500 or so
>>> spam
>>> emails a day.
>>>
>>> Make this new sshd feature default in all new linux releases, and
>>> in a
>>> year... poof.... ssh attacks will be a memory.
>>>
>>> -John
>>>
>>> On Tue, 9 Dec 2008, Brian Vagnoni wrote:
>>>
>>>> ----- Original Message -----
>>>> From: Alex Valentine
>>>>> Problem solved.
>>>>>
>>>>> http://denyhosts.sourceforge.net/
>>>> ----- Original Message -----
>>>>
>>>>> From the 2nd link.
>>>>
>>>> They are talking bot***NET*** level attacks. But still thanks.
>>>>
>>>> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing
>>>> attacks on SSH servers usually count the number of failed log-in
>>>> attempts from one IP address and enter addresses that exceed a
>>>> given threshold on a blacklist (usually /etc/hosts.deny) or as a
>>>> rule in the firewall. The system subsequently blocks any further
>>>> log-in attempts from blacklisted remote IP addresses.
>>>>
>>>> The distributed method prevents the tools from flagging attackers
>>>> after only a few log-in attempts. Depending on the scale of the
>>>> distributed attack, several thousand attempts to log into an
>>>> account can be made. The attacks are suspected to be carried out by
>>>> botnets.
>>>>
>>>>
>>>> --------------------------------------------------
>>>> Brian Vagnoni
>>>> PGP Digital Fingerprint
>>>> F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
>>>> --------------------------------------------------
>>>> ____________________________________________________________________
>>>> _______
>>>> Philadelphia Linux Users Group -- http://
>>>> www.phillylinux.org
>>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/
>>>> plug-announce
>>>> General Discussion -- http://lists.phillylinux.org/mailman/
>>>> listinfo/plug
>>>>
>>> _____________________________________________________________________
>>> ______
>>> Philadelphia Linux Users Group -- http://
>>> www.phillylinux.org
>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-
>>> announce
>>> General Discussion -- http://lists.phillylinux.org/mailman/
>>> listinfo/plug
>>
>> ______________________________________________________________________
>> _____
>> Philadelphia Linux Users Group -- http://
>> www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-
>> announce
>> General Discussion -- http://lists.phillylinux.org/mailman/
>> listinfo/plug
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group --
> http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion --
> http://lists.phillylinux.org/mailman/listinfo/plug
>
Alex Valentine
http://alexvalentine.org
asv@ivoss.com
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|