SSH Attack by different hosts

CorCornelisse · n00b Joined: 22 Aug 2007 Posts: 8

Hi All,

I've a problem, my logs are swamped by messages indicating a brute force or dictionary based attack on my SSH server. The problem is, every attempt appears to be coming from a different address, and all addresses show IRC ports open (used NMAP to scan). So I think someone is using a botnet to attack my box. Anyway, how would you deal with a situation like this? It's too intensive for me to blok every ip using IPtables (which is what I usually do when attacked from one single source).

Hope anyone can shed some light on this case, since this brute force attack is swamping my logs, and making my SSH machine teribly slow (it's a via epia c3 500mhz)

Any help is appreciated.

di1bert · Posted: Thu Nov 15, 2007 2:41 pm Post subject:

Block SSH access to the world using iptables would be the best answer. If you need access from the
world, only allow from certain IPs.

You could also consider installing DenyHosts
which would help.

HTH

-m

KD-120RD · Posted: Thu Nov 15, 2007 2:46 pm Post subject:

how about port knocking?

http://en.wikipedia.org/wiki/Port_knocking

CorCornelisse · n00b Joined: 22 Aug 2007 Posts: 8

I love the port knocking solution, I'll see if I can get that up and running, never heard of it before thanks!!!

Blocking access isn't possible since this machine is the very gateway to my network and I want to be able to access it from anywhere.

Thanks for the quick respons !!!
_________________
A lie told often enough becomes the truth

Lenin (1870 - 1924)

quade · n00b Joined: 07 Apr 2006 Posts: 18

Another suggestion is to deny users who fail a certain number of login attempts within 60 seconds using this iptables rule:

CorCornelisse · n00b Joined: 22 Aug 2007 Posts: 8

That's already the case

, he won't get anywhere by attempting to login as root. So I've nothing to fear, but it lags my connection to the box severly that's the reason I'm looking for a solution. Those IPTABLE rules might come in handy, with a different timing though.. I'll try, tnx !!!
_________________
A lie told often enough becomes the truth

Lenin (1870 - 1924)

ianw1974 · Posted: Thu Nov 15, 2007 7:18 pm Post subject:

I don't know if it's possible for you, but maybe you could just tunnel into the system using IPSEC VPN and then SSH after this once you have a VPN connection.

This is what I do, so that I save people trying to hack my system over SSH. Means I don't have to open the port, and I can connect from anywhere, if I'm using an IPSEC client or have access to create an IPSEC connection from another firewall.

Cyker · Veteran Joined: 15 Jun 2006 Posts: 1427

Yeah, the most you can do without excessive zots is to set up rules to:

+ Ban connection attempts on Port 22 that don't have SSH headers ("Did not receive identification string from")
+ Ban if more than 3 authentication failures happen within in 30s ("Failed password for")
+ Ban anything with common usernames that shouldn't be logging in anyway ("root" "cron" "daemon" "mail" etc.)

I currently use SEC to do this.

If it's getting to be too big a PITA, then another thing you can do, *in addition* to all the above stuff, is change the connecting port from 22 to something else - 80 and 21 are good ones because scans will try to connect as HTTP/FTP and will get themselves insta-banned, but you need to be careful you don't accidentally do that because then you will be banned with no come-back until you can get home and remove the offending IP.
Even if you can't/won't spoof the port to a common service, changing it to something else entirely like 220 or 12345 or something will still cut down on the attempts on your system noticably.

It really sucks that these bastards are using fraggin' botnets now just to break into random peoples systems. Things like this almost make me miss the days when the main way of connecting was via modem, and the only people that had fast connections were the ones that actually knew enough about computers to be able to detect and fix such problems!
But I guess we all know it's not going to get any better as the 'net gets more and more commercialized...

pteppic · l33t Joined: 28 Nov 2005 Posts: 781

quade · n00b Joined: 07 Apr 2006 Posts: 18

Thanks.

That's taken from my iptables config to solve the exact same problem -- my logs were getting so full from all these bot attacks I could never debug anything else I was working on.

Akkara · Posted: Fri Nov 16, 2007 3:54 am Post subject:

I've recently changed /etc/ssh/sshd_config to use RSA authentication, only. Works great, and also solves a worry of accidentally leaving possibly ill-secured test accounts around. And using ssh-agent I only need to type in the passphrase once per session which makes it more convenient.

Carnildo · Guru Joined: 17 Jun 2004 Posts: 550

Speen · Posted: Fri Nov 16, 2007 8:28 am Post subject: Re: SSH Attack by different hosts

have you tried fail2ban?

it's in portage!

vaguy02 · Posted: Fri Nov 16, 2007 12:32 pm Post subject:

fail2ban only works with multiple attempts from the same host, not what we are talking about here.

Robert
_________________
Linux Registered User #458185

Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5