Re: [LUAU] Handling Brute Force Attacks
On Wed, Jul 27, 2005 at 08:29:16AM -1000, R. Scott Belford wrote: How are others handling this? Do you block the IP address? If so, does it help, or are you still found by yet another zombie? Any suggestions or insight are welcome. The reactive projects popping up in response to this are great technical exercises but are simply bandaids because you lock down access _after_ you detect a problem. If you just want to stop the zombies and not targetted attacks, simply move your ssh port. This is probably the easiest approach. To really be safe, move to a default deny stance and only allow [semi-]trusted networks to ssh into your server. -Vince
[LUAU] Handling Brute Force Attacks
Slashdot recently referenced a good article about the growing number of Brute Force Attacks against ssh http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/ Night after night my server is one whose logs fill with thousands of lines like these: Security Events =-=-=-=-=-=-=-= Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user daisy from :::217.106.234.86 port 36812 ssh2 Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user dorina from :::217.106.234.86 port 36912 ssh2 Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user marian from :::217.106.234.86 port 37011 ssh2 Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user juan from :::217.106.234.86 port 37114 ssh2 Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user don from :::217.106.234.86 port 37212 ssh2 I don't allow Root logins and I only allow trusted users. How are others handling this? Do you block the IP address? If so, does it help, or are you still found by yet another zombie? Any suggestions or insight are welcome. --scott
Re: [LUAU] Handling Brute Force Attacks
On Jul 27, 2005, at 11:29 AM, R. Scott Belford wrote: Slashdot recently referenced a good article about the growing number of Brute Force Attacks against ssh http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force% 20Attacks/ Night after night my server is one whose logs fill with thousands of lines like these: Security Events =-=-=-=-=-=-=-= Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user daisy from :::217.106.234.86 port 36812 ssh2 Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user dorina from :::217.106.234.86 port 36912 ssh2 Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user marian from :::217.106.234.86 port 37011 ssh2 Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user juan from :::217.106.234.86 port 37114 ssh2 Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user don from :::217.106.234.86 port 37212 ssh2 Since the beginning of July we've turned away nearly 5500 of these, and 16 more attempts that resulted in Did not receive identification string from IP.AD.DR.ESS its been going on for at least a year, possibly longer. (I'm trying to forget all that came before Hawaii.) Here are the most popular names they try (and the number of times they've tried them): 368 admin 125 user 87 administrator 37 test 32 guest 29 adm 22 account 21 info 17 oracle 17 abuse 17 aaron 16 tomcat 15 webadmin 14 pgsql 14 adachi 14 abe 14 a4 13 michael 13 fax 12 sales 12 mike 12 george 12 cyrus 12 angel 12 admins 11 web 11 richard 11 cary 10 webmaster 10 rpm 10 nicole I don't allow Root logins and I only allow trusted users. You could turn off password authentication. (Its what I do. A bit more admin headache up-front, but most people love not having to remember passwords. It does, however, open you a bit to *their* security practices (but so do passwords). How are others handling this? Do you block the IP address? If so, does it help, or are you still found by yet another zombie? Any suggestions or insight are welcome. Some advocate dynamic port knocking: http://www.security.org.sg/code/ portknock1.html Some don't: http://software.newsforge.com/software/ 04/08/02/1954253.shtml You can auto-blacklist as well: http://www.pettingers.org/code/ sshblack.html Jim
Re: [LUAU] Handling Brute Force Attacks
I use DenyHosts What is DenyHosts? DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks. If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system? http://denyhosts.sourceforge.net/ When I take action I'm not going to fire a $2 million missile at a $10 empty tent and hit a camel in the butt.-- President of the United States, George W. Bush. - Original Message - From: R. Scott Belford [EMAIL PROTECTED] Date: Wednesday, July 27, 2005 8:29 am Subject: [LUAU] Handling Brute Force Attacks Slashdot recently referenced a good article about the growing number of Brute Force Attacks against ssh http://www.whitedust.net/article/27/Recent%20SSH%20Brute- Force%20Attacks/ Night after night my server is one whose logs fill with thousands of lines like these: Security Events =-=-=-=-=-=-=-= Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user daisy from :::217.106.234.86 port 36812 ssh2 Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user dorina from :::217.106.234.86 port 36912 ssh2 Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user marian from :::217.106.234.86 port 37011 ssh2 Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user juan from :::217.106.234.86 port 37114 ssh2 Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user don from :::217.106.234.86 port 37212 ssh2 I don't allow Root logins and I only allow trusted users. How are others handling this? Do you block the IP address? If so, does it help, or are you still found by yet another zombie? Any suggestions or insight are welcome. --scott ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau