Contributed by grey on from the mind over brute force dept.
Juan J. Martinez's ssh-blocker script
Wolfgang S. Rupprecht's sshd configuration recommendations.
Ingo Schwarze offered up some patches he has made to sshd and pfctl here.
And lastly, Jose Nazario pointed out timelox from br1an (of Stephanie and metawire.org). From the README: "Timelox is code to be used in network services to help fight brute force attacks." Keeping it relevant to the discussions of ssh brute force attack defenses, br1an has included a patch specifically for sshd.
Naturally, none of these patches or recommendations are official, but our readers may find some of them useful.
(Comments are closed)
By James (67.167.226.90) on
Comments
By tedu (64.173.147.27) on
Comments
By siltech @ RAC (59.93.35.238) on
see the doc here
http://www.saturninfolabs.com/docs/sshd-logwatch.html
By almeida (66.31.180.15) on
Dec 31 12:45:59 headless sshd[7885]: Failed password for nobody from 83.17.209.58 port 3005 ssh2
...
Dec 31 12:51:13 headless sshd[24499]: Failed password for root from 83.17.209.58 port 1566 ssh2
This guy tried one password each for apache, cosmin, cyrus, horde, iceuser, jane, matt, mysql, nobody, operator, pamela, rolo, www, www-data, and wwwrun; two passwords each for adm, irc, and patrick; four passwords for test; and 21 passwords for root.
Comments
By Anonymous Coward (24.201.62.155) on
Comments
By almeida (66.31.180.15) on
Comments
By Anonymous Coward (81.26.253.124) on
By Janusz Gumkowski (158.75.1.33) on
> I doubt I'd get anywhere by complaining to the abuse department.
You may.
This IP belongs to the largest internet provider in Poland. Being constantly accused of monopolistic practices, they're currently paying greater and greater attention to criticizm and public relations.
After lots of bad press, they also started reacting properly to attacks that their customers are launching against other networks. Like in your case.
It's a DSL line, IP is given statically. Provided you are informative enough, they won't have problems tracking those kiddies down.
Greetings from Poland :)
By Joel (81.172.173.155) joel@acc.umu.se on
By almeida (66.31.180.15) on
There was also a discussion on comp.unix.bsd.openbsd.misc (search for "ssh hackers" if that link doesn't work). In addition to having sshd listen on different ports, the suggestions that came out of it were:
My suggestion was to modify the scripts Daniel Hartmeier uses to blacklist misbehaving crawlers.
Nicholas Marriott suggested using his program, Log file monitor. This one looks pretty cool.
And Daniel himself pointed to a new rate-limiting feature in -current. This would block hosts that exceed 10 connections per 60 seconds.
Comments
By almeida (66.31.180.15) on
By Tib (66.80.174.214) archerfish@gmail.com on
By Anonymous Coward (85.72.60.14) on
By Chris Laverdure (69.156.179.171) on
I have a table called /etc/pf-enemies, and in it are IPs and ranges of people that I want barred from my server. I was thinking about writing a program that analized authlog, and if it saw a remote root attempt it automatically put the IP in that table and refreshed the PF config.
Comments
By jakari (216.24.217.3) on
My half-assed attempt at doing something about it:
http://www.bithose.com/jakari/blog/index.cgi/2004/12/30#obsd_autoblacklist
Not entirely novel but it was pretty easy to do.
Probably would have been easier to just move ssh to a different port. ;)
By WK (66.24.0.248) on
I've been using logsurfer, and in addition to providing warnings for unusual activities, I use it to block hosts that attempt the following more than a few times within a certain time limit:
- root SSH logins
- SSH logins for invalid users
- failed SSH password attempts
It's an easy setup. When logsurfer detects these actions, it runs a script that adds the IP (via sudo) to a pf table, and it logs the addition. (The IP is actually added to to a file that is then loaded to the pf table.)
Since I set this up, activity in my authlog has dropped off dramatically. For those interested, there's a good collection of logsurfer resources at http://www.crypt.gen.nz/logsurfer/
I do a couple of other things to keep SSH secure. Mail and daemon users belong to classes that have no login, and SSH users have UID's that are not common.
By SH (82.182.103.172) on
By Paul (81.168.250.11) biesdi@gmail.com on http://zrytyberet.org
without changing ssh/auth.c or some special timeouts or shells.
http://81.168.250.31/ll/tabele.howto.en
user: pf password: pfpf
p.s.
happy new year
By djm@ (203.217.30.86) on
Comments
By almeida (66.31.180.15) on
Comments
By tedu (67.124.88.142) on
By djm@ (203.217.30.86) on
Comments
By almeida (66.31.180.15) on
Regardless, we're not worried about <i>our</i> passwords. We're worried about jane, matt, pamela, and patrick, who might not pick very good passwords. The point of this whole thing was coming up with another line of defense to keep hackers away. Saying people with bad passwords are idiots might be true, but it doesn't make your box more secure.
Comments
By djm@ (203.217.30.86) on
Your users shouldn't be permitted (by either policy or technology) to choose bad passwords. If you are responsible for systems and policies that allow trivially guessable passwords, then *you* are the idiot.
The current generation of ssh worms doesn't seem to do remote brute force guessing. It seems to try a small dictionary of default accounts, possibly supplemented with locally cracked passwords.
By Sven Beukenex (80.126.65.121) on
By Anonymous Coward (68.202.41.228) on
By Nikademus (212.88.244.240) on
So I think the solution is don't use a password only...
By jkm (217.215.66.75) joakim@aronius.com on
# Don't allow Linux hosts to connect to the sshd.
block drop in log on $ext_if proto { tcp, udp } from any os Linux to any port ssh label "Block ssh from Linux hosts"
By Anonymous Coward (64.231.49.149) on
Comments
By byte (192.94.73.35) on
Comments
By RC (4.8.17.8) on
Fair enough...
> and that's the maximum DSA allows.
Not true. 1024-bits may be the maximum in the specs, but most programs have implimented workarounds for that. ssh-keygen has no problem generating a 2048 or 4096-bit DSA key (I just created one of each).
By Anonymous Coward (81.26.253.124) on
By max (207.38.217.7) on www.neuropunks.org
By Anonymous Coward (134.178.63.3) on
By Anonymous Coward (69.3.118.48) on
By Saad, Zamzuri (218.111.71.17) zamzuri@gmail.com on http://www.hackstreet.com