| View previous topic :: View next topic |
| Author |
Message |
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2354
Location: USA
|
 Posted: Sun Jan 17, 2010 6:39 pm Post subject: "Hail Mary SSH" is at it again |
 |
|
Ugh. Distributed ssh attack is at it again.
This time it's at around 6 per minute. Last time it was around 1 per minute...
A friend of mine is also fairly quick but it seems he disabled logging(?!?! uhoh)...
This activity's traffic could become worse than bittorrent traffic if it keeps up...
Why...me...
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
 |
big dave
n00b
Joined: 03 Jul 2009
Posts: 0
Location: in your base, killin all your doodz
|
| Posted: Sun Jan 17, 2010 7:24 pm Post subject: |
|
|
| change the port. lots of businesses/universities block 22 nowadays anyways. |
|
| Back to top |
|
|
jdmulloy
Tux's lil' helper
Joined: 24 Dec 2004
Posts: 139
Location: Massachusetts, USA
|
| Posted: Sun Jan 17, 2010 7:28 pm Post subject: |
|
|
| big dave wrote: | | change the port. lots of businesses/universities block 22 nowadays anyways. |
++
I use a high numbered port for SSH. Why use the standard port. Your likely the only person who needs to use it, and you can give your own port number to anyone you trust with the system, and change it after if you wish.
_________________
Joe Mulloy | http://twitter.com/jdmulloy | Ron Paul in 2012! | 5-1-07 | Unban Playfool | Fire your "Too big to fail" bank http://moveyourmoney.info |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Sun Jan 17, 2010 8:04 pm Post subject: |
|
|
Guys, remember, security through obscurity is no security at all. Disable password authentication and only allow the use of proper key pairs. It might also be a good idea to set up some kind of system (such as fail2ban) to ban hosts which fail to authenticate after a certain number of failed login attempts.
_________________
| drizek wrote: | | Here in America, we are like a bunch of shit-slinging monkeys. |
|
|
| Back to top |
|
|
Gaff
n00b
Joined: 05 Jun 2009
Posts: 0
|
| Posted: Sun Jan 17, 2010 8:06 pm Post subject: |
|
|
| AidanJT wrote: | | Guys, remember, security through obscurity is no security at all. Disable password authentication and only allow the use of proper key pairs. It might also be a good idea to set up some kind of system (such as fail2ban) to ban hosts which fail to authenticate after a certain number of failed login attempts. |
++
I run it with high random port and only public-key, and I also turn all incoming off when I'm at home. I only need to ssh to my home server when I'm at office or some such. |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1270
Location: U.S.A.
|
| Posted: Sun Jan 17, 2010 8:47 pm Post subject: |
|
|
| Gaff wrote: | | AidanJT wrote: | | Guys, remember, security through obscurity is no security at all. Disable password authentication and only allow the use of proper key pairs. It might also be a good idea to set up some kind of system (such as fail2ban) to ban hosts which fail to authenticate after a certain number of failed login attempts. |
++
I run it with high random port and only public-key, and I also turn all incoming off when I'm at home. I only need to ssh to my home server when I'm at office or some such. |
++
I go one step further and use single-packet authentication, so my ssh port is not even open to be scanned much less connected to.
fwknop: http://cipherdyne.org/fwknop/
my home-grown solution using BASH: http://forums.gentoo.org/viewtopic-t-687956.html
_________________
Obama killed bin Laden like Nixon was the first man on the Moon. |
|
| Back to top |
|
|
wswartzendruber
Veteran
Joined: 23 Mar 2004
Posts: 1155
Location: California, USA
|
| Posted: Sun Jan 17, 2010 9:10 pm Post subject: |
|
|
| Holy cosmos! AWESOME! I'm definitely reading into SPA some more. |
|
| Back to top |
|
|
cokehabit
Advocate
Joined: 23 Apr 2004
Posts: 3302
|
| Posted: Sun Jan 17, 2010 9:25 pm Post subject: |
|
|
| BoneKracker wrote: | | Gaff wrote: | | AidanJT wrote: | | Guys, remember, security through obscurity is no security at all. Disable password authentication and only allow the use of proper key pairs. It might also be a good idea to set up some kind of system (such as fail2ban) to ban hosts which fail to authenticate after a certain number of failed login attempts. |
++
I run it with high random port and only public-key, and I also turn all incoming off when I'm at home. I only need to ssh to my home server when I'm at office or some such. |
++
I go one step further and use single-packet authentication, so my ssh port is not even open to be scanned much less connected to.
|
I go one step further and turn the computer off |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1737
Location: University of Tuebingen, Germany
|
| Posted: Sun Jan 17, 2010 10:25 pm Post subject: |
|
|
| AidanJT wrote: | | Guys, remember, security through obscurity is no security at all. Disable password authentication and only allow the use of proper key pairs. It might also be a good idea to set up some kind of system (such as fail2ban) to ban hosts which fail to authenticate after a certain number of failed login attempts. |
yer, im doing the same on my server. i just force anyone with any kind of "real" access access to do so with key files; noone gets any kind of password so they cant establish one later either. works like a charm and them scanners and bots can kiss my ass.
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( hot: libcurie - freestanding C goodness | alea.iacta.at | syn.chroni.se ) |
|
| Back to top |
|
|
big dave
n00b
Joined: 03 Jul 2009
Posts: 0
Location: in your base, killin all your doodz
|
| Posted: Sun Jan 17, 2010 11:19 pm Post subject: |
|
|
| AidanJT wrote: | | security through obscurity is no security at all. |
false.
when the cost of the increase in "security" exceeds the value of the secured zone times the probability of security breach, you do nothing, or you have a stupid security advisor. this is the concept of expected value, and it's one of the most important aspects of statistics.
the "cost" of changing a port is 4.2 seconds or less and instantly eliminates over 99.99999% of these ssh brute forces. the cost of upkeeping one of those stupid IP loggers, and managing typos, and other bullshit, is ridiculously costly for YOUR PERSONAL FUCKING SERVER which only holds your mp3s and illegal copies of photoshop installation files. conversely, MS can never rely on obscurity because they manage the security of hundreds of millions of computers. software guys think in binary way too often... there are a lot of shades of gray, and the factors are the cost, the value of the payload, and the probability of breach. it's up there with the whole DRM argument. most DRM isn't actually too bad... while it's not going to stop any of us, it will stop most non-geeks from pirating shit. |
|
| Back to top |
|
|
vputz
Apprentice
Joined: 16 Mar 2005
Posts: 299
Location: Oxford, England
|
| Posted: Sun Jan 17, 2010 11:39 pm Post subject: |
|
|
I'm with Big Dave on this with regards to most personal servers and most script kiddie attackers. When I had my ssh incoming port at 22, I had to deal with all sorts of random fishers; changing it to a higher port made all those simply vanish. Is it "secure"? No. Is it "secure enough for my recorded TV and music collection"? Yeah. If someone wanted it, they'd get it. If someone wanted to randomly find an unsecured system, they'll find plenty to play with on port 22, and having been a recreational hacker in the past, almost all of 'em will go for the low hanging fruit any day. Most of my computers are off unless I'm using them anyway.
Now, I'm probably going to implement something more secure because it's fun to learn something new, but since I want to retain the ability to log INTO my machine wherever I am (without having to carry keys with me or remember my super-secret SPA stuff, right now this is good enough.
Security through obscurity isn't good security by any means. But it can be an appropriate level depending on the importance of the information and the access needs. |
|
| Back to top |
|
|
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2354
Location: USA
|
| Posted: Sun Jan 17, 2010 11:51 pm Post subject: |
|
|
I can't login from work to home with port relocated from 22, corporate firewall requires port 22 for ssh, they block pretty much everything else.
I'm thinking my only way out is whitelist and depend on VPN as alternate way in if I can't get in otherwise...
grr..
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Mon Jan 18, 2010 12:14 am Post subject: |
|
|
| big dave wrote: | | AidanJT wrote: | | security through obscurity is no security at all. |
false.
when the cost of the increase in "security" exceeds the value of the secured zone times the probability of security breach, you do nothing, or you have a stupid security advisor. this is the concept of expected value, and it's one of the most important aspects of statistics.
the "cost" of changing a port is 4.2 seconds or less and instantly eliminates over 99.99999% of these ssh brute forces. the cost of upkeeping one of those stupid IP loggers, and managing typos, and other bullshit, is ridiculously costly for YOUR PERSONAL FUCKING SERVER which only holds your mp3s and illegal copies of photoshop installation files. conversely, MS can never rely on obscurity because they manage the security of hundreds of millions of computers. software guys think in binary way too often... there are a lot of shades of gray, and the factors are the cost, the value of the payload, and the probability of breach. it's up there with the whole DRM argument. most DRM isn't actually too bad... while it's not going to stop any of us, it will stop most non-geeks from pirating shit. |
It's thinking like that which makes Windows rubbish at security, and DRM an utter failure against actual piracy.
_________________
| drizek wrote: | | Here in America, we are like a bunch of shit-slinging monkeys. |
|
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1737
Location: University of Tuebingen, Germany
|
| Posted: Mon Jan 18, 2010 12:19 am Post subject: |
|
|
i see why you would argue for more shades of gray, but given how easy to use key files are it's kinda moot in this situation. if you just disable passwords for logins and only use those files, you can just leave ssh at the default port since none of the bots seems to even bother with brute-forcing key based auth; and i don't see how taking along the key file once to put on the systems you're gonna use it with is less of a hassle than constantly speccing the port for each invocation of ssh, or configuring ssh via its config file to use a different port for some hosts. as an added bonus, you don't need to enter your password with key files, which is handy  .
might just be me though; and the server in question in my case is actually not my private home server, since my line would be way too slow, but a dedicated server i rented which, next to my own projects, currently also hosts glendix and the website of t3h most awesomestest book-/fantasy store in the whole area, so a wee bit "tighter" security seems like a good idea ;D.
| eccerr0r wrote: | I can't login from work to home with port relocated from 22, corporate firewall requires port 22 for ssh, they block pretty much everything else.
I'm thinking my only way out is whitelist and depend on VPN as alternate way in if I can't get in otherwise...
grr.. |
use key files then? thats definitely an easier way out... especially since for vpn you'll lug around certificates anyway...
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( hot: libcurie - freestanding C goodness | alea.iacta.at | syn.chroni.se ) |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 15989
Location: Colorado
|
| Posted: Mon Jan 18, 2010 12:28 am Post subject: |
|
|
| AidanJT wrote: | | It's thinking like that which makes Windows rubbish at security, and DRM an utter failure against actual piracy. |
Security is about trade-offs.
_________________
Safety is my gaol.
US Constitution | Amendments |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1096
Location: Rep. of Ireland
|
| Posted: Mon Jan 18, 2010 12:32 am Post subject: |
|
|
| pjp wrote: | | Security is about trade-offs. |
Security is about security. Convenience is about trade-offs. Not that there's anything convenient about DRM, or Windows when you have to nuke it every few months because it gets clogged up with shit.
_________________
| drizek wrote: | | Here in America, we are like a bunch of shit-slinging monkeys. |
|
|
| Back to top |
|
|
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2354
Location: USA
|
| Posted: Mon Jan 18, 2010 12:52 am Post subject: |
|
|
| mdeininger wrote: | | use key files then? thats definitely an easier way out... especially since for vpn you'll lug around certificates anyway... |
Well, whitelist as in allow certain hosts (work and places I know I'll be), and VPN elsewhere when I can connect my personal computer to the net directly (I can't use own laptop at work.)
Yep, currently my VPN/certificate/key system appears to be working, was hoping it would not come down to this. I wish my machine were not so attractive, at least that seems to be the issue... was hoping the blacklist would make it less attractive as I get more and more of their hosts banned but the hackers' host pool seems to be near limitless...
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1270
Location: U.S.A.
|
| Posted: Mon Jan 18, 2010 1:08 am Post subject: |
|
|
| eccerr0r wrote: | | mdeininger wrote: | | use key files then? thats definitely an easier way out... especially since for vpn you'll lug around certificates anyway... |
Well, whitelist as in allow certain hosts (work and places I know I'll be), and VPN elsewhere when I can connect my personal computer to the net directly (I can't use own laptop at work.)
Yep, currently my VPN/certificate/key system appears to be working, was hoping it would not come down to this. I wish my machine were not so attractive, at least that seems to be the issue... was hoping the blacklist would make it less attractive as I get more and more of their hosts banned but the hackers' host pool seems to be near limitless... |
Where are you implementing your whitelist/blacklist?
sshd_config?
xinetd?
tcp wrappers?
ip tables?
_________________
Obama killed bin Laden like Nixon was the first man on the Moon. |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1737
Location: University of Tuebingen, Germany
|
| Posted: Mon Jan 18, 2010 1:23 am Post subject: |
|
|
| eccerr0r wrote: | | mdeininger wrote: | | use key files then? thats definitely an easier way out... especially since for vpn you'll lug around certificates anyway... |
Well, whitelist as in allow certain hosts (work and places I know I'll be), and VPN elsewhere when I can connect my personal computer to the net directly (I can't use own laptop at work.)
Yep, currently my VPN/certificate/key system appears to be working, was hoping it would not come down to this. I wish my machine were not so attractive, at least that seems to be the issue... was hoping the blacklist would make it less attractive as I get more and more of their hosts banned but the hackers' host pool seems to be near limitless... |
i dont seem to get it... i understood the vpn was to get around the firewall at work so you could move the port around?
why would you even bother using blacklisting/whitelisting/different ports if you're using keys? the bots arent really going to attempt to crack key-based auth, they'll just try to brute-force password-based auths?
why would the particular computer you're working on affect any of this and be related to vpns in any way?
i'm... confused...
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( hot: libcurie - freestanding C goodness | alea.iacta.at | syn.chroni.se ) |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 15989
Location: Colorado
|
| Posted: Mon Jan 18, 2010 1:44 am Post subject: |
|
|
| AidanJT wrote: | | Security is about security. |
In an academic environment, I would agree.
| The Feeling and Reality of Security wrote: | | Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security -- computer security, community security, national security -- he makes a trade-off. |
_________________
Safety is my gaol.
US Constitution | Amendments |
|
| Back to top |
|
|
eccerr0r
Advocate
Joined: 01 Jul 2004
Posts: 2354
Location: USA
|
| Posted: Mon Jan 18, 2010 1:45 am Post subject: |
|
|
Currently it's at tcp_wrappers. They know there's a host still there. But the hope is that I want to make it look like there is no host there, or at least one that does not reply to ssh so they'll stop wasting my limited bandwidth. But the "key" issue is that being locked out when I want access to my machine...
My problem is that at work, I have to use work computers; and as I do not have root access (and I have to go through tcp/socks) it makes pretty much the only way to connect back home is through ssh. So my whitelist is pretty much the only way to deal with this. The VPN is for any other place that has network access (public wifi, friend's house on comcast, etc. where I won't know the IP and can't whitelist ahead of time).
This doesn't even touch on my friends who have (had?) ssh access and now find they're locked out...
Frustrating...
_________________
Core2Quad 9550S/4GB/4x500G RAID5/RadeonHD 5770
What the heck am I advocating? |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1737
Location: University of Tuebingen, Germany
|
| Posted: Mon Jan 18, 2010 1:54 am Post subject: |
|
|
okay, starting to make a lot more sense... but 6 ssh hits per minute hardly seems to be able to take enough a significant, let alone noticeable bit of bandwidth... so i still don't get why you just don't do anything but leave the bots to their futile attempts and use those key files on your work computers? ... and of course i don't see why you'd need root access to those either for anything .
oh and, you could try delaying the initial connection replys to your ssh by a couple seconds (say, 10-20-ish?). from experience it's usually not that often that you establish connections, so usually it's hardly noticeable for actual use but it does usually screw with bots.
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( hot: libcurie - freestanding C goodness | alea.iacta.at | syn.chroni.se ) |
|
| Back to top |
|
|
big dave
n00b
Joined: 03 Jul 2009
Posts: 0
Location: in your base, killin all your doodz
|
| Posted: Mon Jan 18, 2010 2:05 am Post subject: |
|
|
| mdeininger wrote: | | the server in question in my case is actually not my private home server, since my line would be way too slow, but a dedicated server i rented which, next to my own projects, currently also hosts glendix and the website of t3h most awesomestest book-/fantasy store in the whole area, so a wee bit "tighter" security seems like a good idea ;D. |
that's exactly the point. now you're talking about an online store, which may have credit card numbers on file (which is actually regulated by federal law). simply changing the ports is clearly insufficient security for that level of sensitivity.
other people who have replied about DRM failing or MS failing seriously fail at reading comprehension and should re-read what mdeininger and vputz clearly understand, or ask for clarification... instead of getting combative. it's not about black and white, hard and fast rules. it's about using the minimal reasonable cost to achieve the goal, and using expected value by way of CBA to determine reasonableness. |
|
| Back to top |
|
|
big dave
n00b
Joined: 03 Jul 2009
Posts: 0
Location: in your base, killin all your doodz
|
| Posted: Mon Jan 18, 2010 2:06 am Post subject: |
|
|
| mdeininger wrote: | | i don't see why you'd need root access to those either for anything . |
most distros stopped allowing root login years ago (you have to su/sudo). does gentoo still allow that? |
|
| Back to top |
|
|
cokehabit
Advocate
Joined: 23 Apr 2004
Posts: 3302
|
| Posted: Mon Jan 18, 2010 2:09 am Post subject: |
|
|
| big dave wrote: | | mdeininger wrote: | | i don't see why you'd need root access to those either for anything . |
most distros stopped allowing root login years ago (you have to su/sudo). does gentoo still allow that? |
what do you mean "does Gentoo still allow that"? The whole idea behind Gentoo is you can allow anything as long as you can set it up. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Off the Wall
