Re: SSH brute force attack

[Marko Jakovljevic <wizardx86 () gmail com>]

Hey Todd, and guys :)

This is my first post so i hope this is the way to reply to the mailing list ;)

I also have the same problem with these brute SSH attacks. As Matthew
want specifies there isnt much else you can do besides blackholing the
IP, i do know of cases where the system is merely a honeypot
compromised by a sub7 variant or running something called evilbot.
This effectivly allows the zombie master to control all the 'zombies'
that login to the server. Besides this being very effective for denial
of service attacks they can also use the zombies for brute force
attacks and phishing on irc servers / msn / email phishing etc..

I would suggest to completely disallow external ssh access for the
root account and another possibility is using IPtables or whichever
firewall you would use to change the SSH port so that the default port
gets a connection refused. This throws a spanner in the works for the
average script kiddie. If you dont know iptables that well (assuming
you are using iptables in the first place)
http://qtables.radom.org/download.php is an excellent website with a
built in standalone script that generates an IPtable ruleset which is
easy to follow.

Another great tool i found that helps is
http://swatch.sourceforge.net/ for monitoring the logs. What Swatch
can do is monitor whatever logs you wish it to monitor and create
specific firewall rules for an active response. Swatch also has
emailing and of course if it pleases you sms gateway facilities. What
i did with swatch was basically setup a configuration where any false
login attempts to (test/admin/joe/bill) and such others and
automatically blackholes that address and prevents it from accessing
the system for a certain period of time. This "throttle" lasts for
around 600 seconds on the first attempt and if the attempts continue
the throttle lasts longer and longer. The theory is that if it is a
compromised honeypot sooner or later it is going to be cleaned up
(Hopefully) so the ban wont last forever (not that it really matters).
Furthermore any attempts on root and such other accounts can follow
the same pattern.

With some creative use of Swatch and Ethereal you can setup a email
that is sent to you weekly with the logged IP's of every attempt as
well as how many failed attempts, the accounts attempted and then you
can take measures from there.

NB - VERY IMPORTANT! 
When working with swatch i found a problem with regard to creating
rulesets for other packets besides SSH. Using ettercap (packet
generator) http://sourceforge.net/projects/ettercap/
I was able to create a packet with the same destination IP as the
source IP resulting in me blocking myself out of the system. Although
the attacker gets no benefit from this he automatically blocks the IP
hence turning the system into a closed loop. This isnt possible (i
think?) with SSH packets as those one cannot spoof the source IP but
with others it is.

In summary i'd say Swatch is the best option if those brute attempts
keep annonying you but i guess just preventing outside root SSH access
and changing the default ssh port ah yeah and making a good password
(not something like 1234 or password / root / l33t ) etc... would
result in a relativly secure system.

Thanks guys



" Apart from black-holing the addresses in a "No SSH for you" policy on the
firewall (horse already bolted), about the only thing you can do in ensure
that you can't SSH in as root (something I highly advise anyway) and go to
strong authentication. I have used SKEY quite successfully for this and its
free  :-). "

On 7/3/05, David Ross <David.Ross () isrc qut edu au> wrote:
> Toderick, Lee W wrote:
> > Our computers running SSH daemons have logged attacks. The attacks begin
> > with a scan logged "Did not receive identification string from x.x.x.x",
> > followed approximately 15 minutes later with "Illegal user " or " Failed
> > password for root".
> >
> > Does anyone have information or documentation about this scan/attack?
>
> I see it daily - and usually ignore it.
> Sometimes I filter the address blocks if they belong to ISPs in
> countries that I am unlikely to visit (and hence ssh from).
> That keeps the logs manageable.
>
> --
> David Ross
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards