Re: [Full-Disclosure] Any update on SSH brute force attempts?
On Fri, 2004-10-15 at 23:23, Kevin wrote: > Use one time passwords (OTP, e.g. S/Key). How about: Require (long) DSA keys? I'd like to see someone brute-force trough a 4096 bit key :) Cheers, Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Any update on SSH brute force attempts?
On Sat, 16 Oct 2004 14:57:31 +1300, James Riden <[EMAIL PROTECTED]> wrote: > Jay Libove <[EMAIL PROTECTED]> writes: > > What are you doing/changing about your SSH configurations to reduce the > > possibility of these attacks finding any kind of hole in the OpenSSH > > software (that's what I run, so that's the only version I'm particularly > > concerned about) ? Are you doing anything at all? Use one time passwords (OTP, e.g. S/Key). Restrict which addresses are allowed to connect (via /etc/hosts.allow), and/or which user accounts are allowed from which sources (using AllowUsers in sshd_config). I l prefer to bind the listener to a specific IP address on hosts with multiple addresses, the BOFH might choose to have a tarpit *:22/TCP listener on hosts with many alias IPs.. > One or more of the following, depending on local requirements: > > * Run on a non-standard port - this will stop brain-dead scanning programs > * Use key-based auth instead of passwords > * Restrict what IP addresses are allowed to connect (at your firewall) > * Disable root logins > * Use john or crack to audit password strength > * Use logwatch or similar to monitor failed login attempts > * Make a honeypot and see what techniques people are trying out > > (Everyone's forcing version 2 of the protocol, right?) $ sudo tail -5 /etc/ssh/sshd_config Protocol 2 ListenAddress 172.23.97.2 MaxAuthTries 2 PermitRootLogin no LogLevel VERBOSE $ exit I'm sorely tempted to forgo SSH for telnet encapsulated in SSL (via stunnel), with non-reusable passwords. Anybody else remember "Stel"? Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any update on SSH brute force attempts?
Jay Libove <[EMAIL PROTECTED]> writes: > What are you doing/changing about your SSH configurations to reduce the > possibility of these attacks finding any kind of hole in the OpenSSH > software (that's what I run, so that's the only version I'm particularly > concerned about) ? Are you doing anything at all? One or more of the following, depending on local requirements: * Run on a non-standard port - this will stop brain-dead scanning programs * Use key-based auth instead of passwords * Restrict what IP addresses are allowed to connect (at your firewall) * Disable root logins * Use john or crack to audit password strength * Use logwatch or similar to monitor failed login attempts * Make a honeypot and see what techniques people are trying out (Everyone's forcing version 2 of the protocol, right?) cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Any update on SSH brute force attempts?
A month or three back, I engaged in some conversation with others here on full-disclosure about brute force login attempts several of us were seeing on our SSH servers. Brute force isn't really the right description, as each account is only tried a few times (root gets about 50). As we surmised before, this still looks like an attack looking for certain known ID/password combinations. Recently, a couple of times a week, I see repeats of this which now have as many as fifty different accounts being attacked. (Almost none of which exist on my server, and none of which will have common passwords thankyouverymuch). What are you doing/changing about your SSH configurations to reduce the possibility of these attacks finding any kind of hole in the OpenSSH software (that's what I run, so that's the only version I'm particularly concerned about) ? Are you doing anything at all? Thanks -Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html