Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH hacking attempts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1438

PostPosted: Mon Jan 18, 2010 8:52 am    Post subject: SSH hacking attempts Reply with quote

Is it me or has it been intensifying?

I checked my logs for the first time in a while and it was 15MB!

The biggest annoyance is that my brute-force blocker script is no longer effective as they're using distributed IP's (Darn you botnets, darn you to heck!), and while nothing has^H^H^H SEEMS to have gotten in yet, the sheer number of attempts is just scary (And this is with MaxStartups 1!!)
Back to top
View user's profile Send private message
eccerr0r
Advocate
Advocate


Joined: 01 Jul 2004
Posts: 3598
Location: USA

PostPosted: Mon Jan 18, 2010 9:40 am    Post subject: Reply with quote

Apparently it's not just you. I can't see how this can't affect internet traffic, this must really use up a considerable amount of bandwidth to do this crap.

Anyway here's my recent OTW post about it, seems at least some people are noting the same thing:

https://forums.gentoo.org/viewtopic-t-811613-highlight-.html
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed to be advocating?
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1438

PostPosted: Mon Jan 18, 2010 11:04 am    Post subject: Reply with quote

Doh, for some reason that thread didn't appear in my search-a-roo o.O

I think this once can be merged ;)
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Mon Jan 18, 2010 1:16 pm    Post subject: Reply with quote

You can reduce the attempt on your box with a specific iptables rules that can reduce the number of attempt of a specific ip.

But, if it's a botnet, then the ip source will be spoofed and you go anywhere.

Is there a way to counter a botnet attack that target a ssh connection on your own server ? I know that I can block the port, but is there any more elegant way to do so ?
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
eccerr0r
Advocate
Advocate


Joined: 01 Jul 2004
Posts: 3598
Location: USA

PostPosted: Mon Jan 18, 2010 5:01 pm    Post subject: Reply with quote

It's hard...only way is to band with a few people to share banned host lists...
otherwise it will make things inconvenient ... at least that's the conclusion drawn.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed to be advocating?
Back to top
View user's profile Send private message
Travisher
n00b
n00b


Joined: 18 Jan 2010
Posts: 1

PostPosted: Mon Jan 18, 2010 5:53 pm    Post subject: Reply with quote

SSH attacks are intensifying. Try using a iptables or shorewall rule that limits access to a few specific IP addresses.

Or switch to using ssh keys only. This won't stop them trying but you can sleep at night.
I blagged the following from our internal wiki, I hope this helps.

If you don't use passwords, but only RSA keys for authentication, a brute force search for a valid password will obviously be useless.

(1) Generate an RSA key with ssh-keygen -t rsa. This will create the files /home/username/.ssh/id_rsa (the private key) and /home/username/.ssh/id_rsa.pub (the public key).


Code:
sh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
32-digit_hexadecimal_fingerprint username@hostname



(2) On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys. This file can hold more than one key, so it may be wise to concatenate the freshly generated key.

Code:
sh$ cat /home/username/.ssh/id_rsa.pub >> /home/username/.ssh/authorized_keys



(3) On each machine from which you want to login, place the file /home/username/.ssh/id_rsa into the directory /home/username/.ssh/.

(4) Disable password-based login by setting 'PasswordAuthentication no' in /etc/ssh/sshd_config, and restart the sshd daemon with /etc/init.d/sshd restart


Before you close your ssh terminal! Check you can no longer log in with password, check you can login with your key.
Keep your private key backed up somewhere safe and don't lose your passphrase. You can still use your password on the console login and you still need the password to su to root.
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3200

PostPosted: Mon Jan 18, 2010 6:37 pm    Post subject: Reply with quote

On the one server I have facing the world, I use openvpn to connect and firewall off connections from ip's outside the internal LAN. Even while following glsa's I'd be worried about a 0-day unreported attack... this approach helps me sleep soundly, but might not be appropriate for all.
Back to top
View user's profile Send private message
Shining Arcanine
Veteran
Veteran


Joined: 24 Sep 2009
Posts: 1110

PostPosted: Mon Jan 18, 2010 10:59 pm    Post subject: Reply with quote

Two tips:
  1. Configure sshd to disallow root logins.
  2. Change sshd's port to an uncommonly used port, most likely above 5000.
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Tue Jan 19, 2010 1:35 am    Post subject: Reply with quote

In fact, for my concern, I use ssh port = 5999 and basically my ssh is only available via my lan network, so basically I'm ok.

But if you want that your box is expose to the net, then changing the port is a pretty good idea.
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
eccerr0r
Advocate
Advocate


Joined: 01 Jul 2004
Posts: 3598
Location: USA

PostPosted: Tue Jan 19, 2010 1:53 am    Post subject: Reply with quote

It looks like the attempts have died down for now once again, and life goes on with virtually no changes as most changes would be more painful than the attacks (remote firewalls, etc.)... back down to the usual few per day.

A huge list of bad hosts was collected...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed to be advocating?
Back to top
View user's profile Send private message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2671
Location: here, there or in transit

PostPosted: Tue Jan 19, 2010 3:03 am    Post subject: Reply with quote

Moved from Networking & Security to Duplicate Threads.

SSH brute force attacks, the botnets that drive them, the defenses against them and the evolution of bots to counter the defenses are all very old news. If the simple expedients of "move the SSH port" and "use public-key authentication" are insufficient, study prior art for more ideas.

If you simply wish to vent about the latest uptick in activity, please do so in "Hail Mary SSH" is at it again.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum