| View previous topic :: View next topic |
| Author |
Message |
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1427
|
 Posted: Mon Jan 18, 2010 8:52 am Post subject: SSH hacking attempts |
 |
|
Is it me or has it been intensifying?
I checked my logs for the first time in a while and it was 15MB!
The biggest annoyance is that my brute-force blocker script is no longer effective as they're using distributed IP's (Darn you botnets, darn you to heck!), and while nothing has^H^H^H SEEMS to have gotten in yet, the sheer number of attempts is just scary (And this is with MaxStartups 1!!) |
|
| Back to top |
|
 |
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2212
Location: USA
|
| Posted: Mon Jan 18, 2010 9:40 am Post subject: |
|
|
Apparently it's not just you. I can't see how this can't affect internet traffic, this must really use up a considerable amount of bandwidth to do this crap.
Anyway here's my recent OTW post about it, seems at least some people are noting the same thing:
http://forums.gentoo.org/viewtopic-t-811613-highlight-.html
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1427
|
| Posted: Mon Jan 18, 2010 11:04 am Post subject: |
|
|
Doh, for some reason that thread didn't appear in my search-a-roo o.O
I think this once can be merged  |
|
| Back to top |
|
|
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Mon Jan 18, 2010 1:16 pm Post subject: |
|
|
You can reduce the attempt on your box with a specific iptables rules that can reduce the number of attempt of a specific ip.
But, if it's a botnet, then the ip source will be spoofed and you go anywhere.
Is there a way to counter a botnet attack that target a ssh connection on your own server ? I know that I can block the port, but is there any more elegant way to do so ?
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2212
Location: USA
|
| Posted: Mon Jan 18, 2010 5:01 pm Post subject: |
|
|
It's hard...only way is to band with a few people to share banned host lists...
otherwise it will make things inconvenient ... at least that's the conclusion drawn.
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
Travisher
n00b
Joined: 18 Jan 2010
Posts: 1
|
| Posted: Mon Jan 18, 2010 5:53 pm Post subject: |
|
|
SSH attacks are intensifying. Try using a iptables or shorewall rule that limits access to a few specific IP addresses.
Or switch to using ssh keys only. This won't stop them trying but you can sleep at night.
I blagged the following from our internal wiki, I hope this helps.
If you don't use passwords, but only RSA keys for authentication, a brute force search for a valid password will obviously be useless.
(1) Generate an RSA key with ssh-keygen -t rsa. This will create the files /home/username/.ssh/id_rsa (the private key) and /home/username/.ssh/id_rsa.pub (the public key).
| Code: | sh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
32-digit_hexadecimal_fingerprint username@hostname |
(2) On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys. This file can hold more than one key, so it may be wise to concatenate the freshly generated key.
| Code: | | sh$ cat /home/username/.ssh/id_rsa.pub >> /home/username/.ssh/authorized_keys |
(3) On each machine from which you want to login, place the file /home/username/.ssh/id_rsa into the directory /home/username/.ssh/.
(4) Disable password-based login by setting 'PasswordAuthentication no' in /etc/ssh/sshd_config, and restart the sshd daemon with /etc/init.d/sshd restart
Before you close your ssh terminal! Check you can no longer log in with password, check you can login with your key.
Keep your private key backed up somewhere safe and don't lose your passphrase. You can still use your password on the console login and you still need the password to su to root. |
|
| Back to top |
|
|
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3140
|
| Posted: Mon Jan 18, 2010 6:37 pm Post subject: |
|
|
| On the one server I have facing the world, I use openvpn to connect and firewall off connections from ip's outside the internal LAN. Even while following glsa's I'd be worried about a 0-day unreported attack... this approach helps me sleep soundly, but might not be appropriate for all. |
|
| Back to top |
|
|
Shining Arcanine
Veteran
Joined: 24 Sep 2009
Posts: 1110
|
| Posted: Mon Jan 18, 2010 10:59 pm Post subject: |
|
|
Two tips:
- Configure sshd to disallow root logins.
- Change sshd's port to an uncommonly used port, most likely above 5000.
|
|
| Back to top |
|
|
d2_racing
Moderator
Joined: 25 Apr 2005
Posts: 12849
Location: Ste-Foy,Canada
|
| Posted: Tue Jan 19, 2010 1:35 am Post subject: |
|
|
In fact, for my concern, I use ssh port = 5999 and basically my ssh is only available via my lan network, so basically I'm ok.
But if you want that your box is expose to the net, then changing the port is a pretty good idea.
_________________
Sysadmin of Funtoo-Québec.org
Wiki
Signature
IRC on Freenode : #funtoo-quebec |
|
| Back to top |
|
|
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2212
Location: USA
|
| Posted: Tue Jan 19, 2010 1:53 am Post subject: |
|
|
It looks like the attempts have died down for now once again, and life goes on with virtually no changes as most changes would be more painful than the attacks (remote firewalls, etc.)... back down to the usual few per day.
A huge list of bad hosts was collected...
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
timeBandit
Administrator
Joined: 31 Dec 2004
Posts: 2667
Location: here, there or in transit
|
| Posted: Tue Jan 19, 2010 3:03 am Post subject: |
|
|
Moved from Networking & Security to Duplicate Threads.
SSH brute force attacks, the botnets that drive them, the defenses against them and the evolution of bots to counter the defenses are all very old news. If the simple expedients of "move the SSH port" and "use public-key authentication" are insufficient, study prior art for more ideas.
If you simply wish to vent about the latest uptick in activity, please do so in "Hail Mary SSH" is at it again.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
|
Duplicate Threads
