[Gllug] limiting ssh zombie login attempts

[Russell Howe]

On Mon, Oct 18, 2004 at 11:05:39PM +0100, Ben Fitzgerald wrote:
> Hi,
> 
> We have an internet facing server that has been receiving an
> increasing number of attempts to guess username/passwords.

All of these attacks (or at least the ones we get here) seem to be
fairly quick and intense.

Using iptables' 'limit' match to limit SSH connections to two every 5
minutes should work reasonably well - it'd take a very long time to try
any significant number of passwords..

Also, disallowing root logins over SSH and constraining the users who
can login using something like 'AllowUsers' in the sshd configuration
would probably be a good idea.

Of course, none of this helps if there's a remotely exploitable
vulnerability in the SSH daemon which requires no authentication to
exploit... for that, the best defense is either to not run SSH, or to
constrain it to a small number of known, and relatively trusted
addresses - let someone else run the risks of running a wide open sshd
:)

It would be interesting to know what passwords are being tried. It
certainly looks from here like a concerted distributed attack against
one IP address on our network (our firewall), rather than some zombie
machines scanning randomly for (say) boxen which allow root ssh logins
and don't have a password set for root..

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug