[H-GEN] Blocking SSH exploits

Snowy Angelique Maslov aka 'Snowpony' snowy at snowy.org
Sun Aug 22 20:22:47 EDT 2004

Sarah Walters said the following on 22/08/2004 7:12 PM:

> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
> Hi all,
> In the daily security report generated by our FreeBSD box, we've been 
> getting a lot of messages like the following lately:
> tempus.walters.id.au login failures:
> Aug 21 09:07:25 tempus sshd[14677]: Failed password for root from 
> port 39247 ssh2
> Aug 21 09:11:48 tempus sshd[14715]: Failed password for root from 
> port 46055 ssh2
> Aug 21 09:11:52 tempus sshd[14717]: Failed password for root from 
> port 46156 ssh2
> Aug 21 21:18:49 tempus sshd[16716]: Failed password for root from 
> port 3989 ssh2
> Aug 21 21:18:56 tempus sshd[16720]: Failed password for root from 
> port 4110 ssh2
> Of course we don't have SSH enabled for root under any circumstances, 
> but we do SSH home frequently so would not want to block external IPs 
> altogether. Has anyone seen a similar increase in such attempts, and is 
> there something out there that I should know about?
> By the way, we are thinking that it would be nice to be able to block 
> IPs that make any such attempts automatically, probably for about 10 
> minutes. Does anyone know how to do this, and would it be worthwhile 
> trying?

These are just all automated attacks using looking for basic passwords on 
exposed SSH enables boxes for root.  Now blocking IPs automatically only tends 
to give people a way of DOSing your box once they work out what is going on.

My solution is to run SSH (the only exposed application to the Internet) on a 
different port for my home connection's external access.  I had toyed with the 
idea of using a port knocking solution as well; however I realised I use this 
service from anywhere and would not always have all the tools needed to get in 
if I had to port knock unless I made it very simple (and the only port 
knocking solution I had liked so far included encrypted pass phrases injected 
into packets).

Considering it was a home server and such; I opted to go the less secure route 
of just moving the server to a non-standard port and restricting valid users 
who can login via SSH to just a couple of ids (since few actually SSH home 
anyways and primarily use the box only when on location).  If I was to make it 
more secure I would probably only allow Public Key Encryption as the method of 
identification.   SSH of course runs in Privilege Separation mode.  Finally I 
make use of dshield's list of known "bad" IP addresses/ranges to get rid of 
any known sources of problems with a filter to make sure it does not include 
any critical IP addresses (and flags when they are listed).

Snowy "Snowpony" Angelique Cerise Maslov -- http://snowy.org/email.signature
PGP (GnuPG) fingerprint = 5280 6EBC D281 A9D2 564B  E274 B2EC 54C3 8325 CECD
Email not addressed/CCd to snowy at snowy.org BOUNCE.  READ URL for disclaimer!
    "Ignorance killed the cat, sir. Curiosity was framed." ---C.J. Cherryh

More information about the General mailing list