[H-GEN] Blocking SSH exploits
Snowy Angelique Maslov aka 'Snowpony'
snowy at snowy.org
Sun Aug 22 20:22:47 EDT 2004
Sarah Walters said the following on 22/08/2004 7:12 PM:
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> Hi all,
>
> In the daily security report generated by our FreeBSD box, we've been
> getting a lot of messages like the following lately:
>
> tempus.walters.id.au login failures:
> Aug 21 09:07:25 tempus sshd[14677]: Failed password for root from
> 219.238.239.178 port 39247 ssh2
> Aug 21 09:11:48 tempus sshd[14715]: Failed password for root from
> 218.38.14.54 port 46055 ssh2
> Aug 21 09:11:52 tempus sshd[14717]: Failed password for root from
> 218.38.14.54 port 46156 ssh2
> Aug 21 21:18:49 tempus sshd[16716]: Failed password for root from
> 203.172.67.151 port 3989 ssh2
> Aug 21 21:18:56 tempus sshd[16720]: Failed password for root from
> 203.172.67.151 port 4110 ssh2
>
> Of course we don't have SSH enabled for root under any circumstances,
> but we do SSH home frequently so would not want to block external IPs
> altogether. Has anyone seen a similar increase in such attempts, and is
> there something out there that I should know about?
>
> By the way, we are thinking that it would be nice to be able to block
> IPs that make any such attempts automatically, probably for about 10
> minutes. Does anyone know how to do this, and would it be worthwhile
> trying?
These are just all automated attacks using looking for basic passwords on
exposed SSH enables boxes for root. Now blocking IPs automatically only tends
to give people a way of DOSing your box once they work out what is going on.
My solution is to run SSH (the only exposed application to the Internet) on a
different port for my home connection's external access. I had toyed with the
idea of using a port knocking solution as well; however I realised I use this
service from anywhere and would not always have all the tools needed to get in
if I had to port knock unless I made it very simple (and the only port
knocking solution I had liked so far included encrypted pass phrases injected
into packets).
Considering it was a home server and such; I opted to go the less secure route
of just moving the server to a non-standard port and restricting valid users
who can login via SSH to just a couple of ids (since few actually SSH home
anyways and primarily use the box only when on location). If I was to make it
more secure I would probably only allow Public Key Encryption as the method of
identification. SSH of course runs in Privilege Separation mode. Finally I
make use of dshield's list of known "bad" IP addresses/ranges to get rid of
any known sources of problems with a filter to make sure it does not include
any critical IP addresses (and flags when they are listed).
--
Snowy "Snowpony" Angelique Cerise Maslov -- http://snowy.org/email.signature
PGP (GnuPG) fingerprint = 5280 6EBC D281 A9D2 564B E274 B2EC 54C3 8325 CECD
Email not addressed/CCd to snowy at snowy.org BOUNCE. READ URL for disclaimer!
"Ignorance killed the cat, sir. Curiosity was framed." ---C.J. Cherryh
More information about the General
mailing list