Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, May 15, 2008 at 9:47 AM, Bob King [EMAIL PROTECTED] wrote: Many distros come with ssh installed by default, and often with root access allowed by default. I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. Low hanging fruit: Non standard port Use AllowedUsers - only allow specific users DenyUsers - disable all system account RootLogin - disallowed Run denyhosts or some other black listing app. reboot your sshd periodically to timeout connections Disable ping Harder: No passwords allowed - must have keys Allow only specific IPs in Run in a chroot - you need to ssh tunnel out of it to another port Setup something like dial back port knocking Eliminate every ssh feature you don't need - config or coding Add another layer of authentication OTP (one time passwords) - There are ways to to this with a preprinted list SecureID or something similar Run a different codebase - not OpenSSH, but lssh, SSH Inc, dropbear, etc ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On May 16, 2008, at 09:56, Tom Buskey wrote: Harder: port knocking If you can live with simple port knocking, it's just this hard: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1775 -m recent --name SSH --remove -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1776 -m recent --name SSH --set -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1777 -m recent --name SSH --remove -j DROP Lines 2 and 4 are unnecessary if you're not concerned with sequential port scanners. Then just setup your remote access device (e.g. a palm with pssh in my last non-scriptable case) with two profiles, one for 1776 and one for 22 that you execute in series. In the scriptable case (e.g. n810): ~/bin/sshlib: #!/bin/sh /usr/bin/nc -w 1 liberty.gnhlug.org 1776 /usr/bin/ssh -c blowfish -X -C liberty.gnhlug.org Heck, it wouldn't surprise me if ssh could pre-launch a script on a per-machine config with a variable such that one could genericize the above. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Fwd: Brute-Force SSH Server Attacks Surge -- InformationWeek
According to the Information Week article: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339 One of the more interesting bits was that the attacks are shifting to a more distributed model to avoid detection by IDS/IPS systems, using botnets. Many distros come with ssh installed by default, and often with root access allowed by default. I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
I ended up with the following config... Bind ssh to two ports: 22 and a non standard port In my firewall rules I specifically allow certain IP's to connect to port 22. These include my internal network (192.168) and a handful of IP's from other hosts that I interact with on a regular basis. Anyone can ssh to the non-standard point, but from what I've seen the attempts are few and far far between since most people aren't looking for it. I used to get a handful or a few hundred handfuls of ssh login failures when I was on just 22, now I get pretty much none. -Kenta On 5/15/08, Bob King [EMAIL PROTECTED] wrote: According to the Information Week article: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339 One of the more interesting bits was that the attacks are shifting to a more distributed model to avoid detection by IDS/IPS systems, using botnets. Many distros come with ssh installed by default, and often with root access allowed by default. I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thursday 15 May 2008 09:58, kenta wrote: I ended up with the following config... Bind ssh to two ports: 22 and a non standard port In my firewall rules I specifically allow certain IP's to connect to port 22. These include my internal network (192.168) and a handful of IP's from other hosts that I interact with on a regular basis. Anyone can ssh to the non-standard point, but from what I've seen the attempts are few and far far between since most people aren't looking for it. I used to get a handful or a few hundred handfuls of ssh login failures when I was on just 22, now I get pretty much none. Seconded - I've never gotten a failed SSH login report on a non-22 port. The attacks are botnets and so they're looking for the low-hanging fruit. As someone who watches logfiles, I'm already outside their target audience. -N ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
I used to get a few thousand attempts every day on port 22. Restricting by IP is a *good* thing. Suggestion: Restrict SSH access to certain IPs. Write a PHP or Python web app that can add an IP to that list (and also conveniently tells you what your IP is.) The app should do this: 1) Text message your cell phone when an IP is added. 2) 3 minutes (or 5, or whatever) later, actually add the IP. Since adding IPs is rare, the delay isn't ordinarily an issue, nor is the text message. I'm assuming the web app would have at least some sort of trivial authentication/password as well, even just .htaccess. Since it alerts you when used, it doesn't need to be draconian. Of course, I'd rather you all stayed on port 22 with no access restrictions. I don't have to outrun the bear, I only need to outrun you. ;-) --DTVZ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, May 15, 2008 at 9:47 AM, Bob King [EMAIL PROTECTED] wrote: According to the Information Week article: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339 One of the more interesting bits was that the attacks are shifting to a more distributed model to avoid detection by IDS/IPS systems, using botnets. Many distros come with ssh installed by default, and often with root access allowed by default. I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. sshguard is a nice tool. It monitors syslog and automatically adds iptables rules to drop packets from the source of an arbitrary number of incorrect logins. http://sshguard.sourceforge.net/ Note, many of the installers don't set some things up, and require manual configuration. See: http://sshguard.sourceforge.net/doc/setup/setup.html Specifically, the section in http://sshguard.sourceforge.net/doc/setup/blockingiptables.html as they show the commands, but at least the Ubuntu package doesn't actually add those rules to any of the rc startup files. :-D -- -- Thomas ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
Thomas Charron [EMAIL PROTECTED] writes: sshguard is a nice tool. It monitors syslog and automatically adds iptables rules to drop packets from the source of an arbitrary number of incorrect logins. http://sshguard.sourceforge.net/ Note, many of the installers don't set some things up, and require manual configuration. See: http://sshguard.sourceforge.net/doc/setup/setup.html Specifically, the section in http://sshguard.sourceforge.net/doc/setup/blockingiptables.html as they show the commands, but at least the Ubuntu package doesn't actually add those rules to any of the rc startup files. :-D I use swatch for this.. I wrote a set of swatch scripts that automatically block IP Addresses after the first failed login. Works great! (except when real users forget their username and try to login with another username) -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Fwd: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, 2008-05-15 at 09:47 -0400, Bob King wrote: I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. I stuck with the standard port 22 simply to keep coordination with others simpler. Passwords are disabled. If I am involved with a project that requires giving others server access, they *must* give me a public key to obtain access. This also provides a chance to showcase tools like rsync and sshfs which are surprisingly unknown in the windows world. -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://www.librarything.com/catalog/dlslug http://www.librarything.com/profile/dlslug http://www.librarything.com/rsshtml/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Fwd: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, 15 May 2008 09:47:39 -0400 Bob King [EMAIL PROTECTED] wrote: According to the Information Week article: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339 One of the more interesting bits was that the attacks are shifting to a more distributed model to avoid detection by IDS/IPS systems, using botnets. Many distros come with ssh installed by default, and often with root access allowed by default. I always thought that disabling root access via ssh is a good idea, but reading this I would assume it would be a good idea to just deactivate password access via ssh all together and limit access to systems with keys known to the host. Moving the sshd to a non-standard port would be another move, but would that stop more than the most basic tools? I would be interested in hearing recommendations from other folks on the list. In addition to the other replies to this, also restrict authentication to public key. -- -- Jerry Feldman [EMAIL PROTECTED] Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846 signature.asc Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
Just another tool that does something similar to sshguard - denyhosts. (http://denyhosts.sf.net/) It's pretty configurable and can actually be used to monitor other services as well if you're willing to do a little bit of regex work. I have to admit that since I've moved sshd away from port 22, I've not felt the need to run it anymore. -- Cole Tuininga [EMAIL PROTECTED] Code Energy ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, May 15, 2008 at 9:58 AM, kenta [EMAIL PROTECTED] wrote: Bind ssh to two ports: 22 and a non standard port In my firewall rules I specifically allow certain IP's to connect to port 22. One variant of that strategy is to run the real SSH on some non-standard port, and then run a sentry on 22, so that anyone trying to connect to 22 is automatically blacklisted. For the truly paranoid, use port-knocking and a non-standard SSH port. And, of course, monitor the firewall logs, so that anyone probing other ports, or anyone probing the non-standard SSH port without knocking first, gets blacklisted. I'm content with running SSH on a non-standard port, and if at all feasible, requiring public keys (no passwords). The non-standard port seems to stop pretty all the stuff commonly found in the wild. (A specifically targeted attack would use a port scan, of course, but that would at least stand out in the logs.) And, of course, if you're running Debian or Ubuntu, regenerate all your keyspairs... :-( -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thursday 15 May 2008 11:17, Ben Scott wrote: On Thu, May 15, 2008 at 9:58 AM, kenta [EMAIL PROTECTED] wrote: Bind ssh to two ports: 22 and a non standard port In my firewall rules I specifically allow certain IP's to connect to port 22. One variant of that strategy is to run the real SSH on some non-standard port, and then run a sentry on 22, so that anyone trying to connect to 22 is automatically blacklisted. I would get myself blacklisted a lot from my own servers. It's not uncommon for me to forget if I'm inside my network or outside. -N ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On Thu, 15 May 2008 11:17:55 -0400 Ben Scott [EMAIL PROTECTED] wrote: One variant of that strategy is to run the real SSH on some non-standard port, and then run a sentry on 22, so that anyone trying to connect to 22 is automatically blacklisted. That may be overly brutal. I routinely log into a server with a non-standard port, and every once in a while I forget to use '-p '. Certainly multiple simultaneous attempts should be blacklisted. -- -- Jerry Feldman [EMAIL PROTECTED] Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846 signature.asc Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
My life just got infinitesimally easier. Thanks. Also works with scp, which is where I generally mess up the port selection. (-P instead of -p, BAH!) --DTVZ On Thu, May 15, 2008 at 2:18 PM, Ben Scott [EMAIL PROTECTED] wrote: In my $HOME/.ssh/config file: Host lib Hostname liberty.gnhlug.org Port 1776 Then I just type ssh lib and I'm in on the right port. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
Agree with Drew. It's nice to know about that. On Thu, 15 May 2008 14:44:39 -0400 Drew Van Zandt [EMAIL PROTECTED] wrote: My life just got infinitesimally easier. Thanks. Also works with scp, which is where I generally mess up the port selection. (-P instead of -p, BAH!) --DTVZ On Thu, May 15, 2008 at 2:18 PM, Ben Scott [EMAIL PROTECTED] wrote: In my $HOME/.ssh/config file: Host lib Hostname liberty.gnhlug.org Port 1776 Then I just type ssh lib and I'm in on the right port. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- -- Jerry Feldman [EMAIL PROTECTED] Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846 signature.asc Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
On May 15, 2008, Cole Tuininga sent me the following: Just another tool that does something similar to sshguard - denyhosts. (http://denyhosts.sf.net/) It's pretty configurable and can actually be used to monitor other services as well if you're willing to do a little bit of regex work. I have to admit that since I've moved sshd away from port 22, I've not felt the need to run it anymore. I've also been using denyhosts on my private server. Works very well. If anyone would like some pointers on setting it up using BSD's pf instead of it's default tcpwrappers, feel free to drop me a line. -- Chip Marshall [EMAIL PROTECTED] http://weblog.2bithacker.net/PGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM pgp2tEbMKRYSI.pgp Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Brute-Force SSH Server Attacks Surge -- InformationWeek
FYI, you can also use the config file to specify different ssh keys to be used for different remote systems. Very useful. Dan Drew Van Zandt wrote: My life just got infinitesimally easier. Thanks. Also works with scp, which is where I generally mess up the port selection. (-P instead of -p, BAH!) --DTVZ On Thu, May 15, 2008 at 2:18 PM, Ben Scott [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: In my $HOME/.ssh/config file: Host lib Hostname liberty.gnhlug.org http://liberty.gnhlug.org Port 1776 Then I just type ssh lib and I'm in on the right port. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org mailto:gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/