[Gllug] ssh attacks

Richard Huxton dev at archonet.com
Fri Feb 3 10:54:41 UTC 2006 

John Southern wrote:
> I opened up an sshd on a box to be able to extract some info from a remote 
> box. I went away and got the files I needed. However, I thought my link was 
> slow so I looked at the logs. The messages log shows an ssh attempt every few 
> seconds. I think it took about thirty seconds from first being opened to the 
> first attack.
> 
> Was I just unlucky and if so, what is the average time before an ssh box is 
> attacked.

I get it on most of my boxes. Maybe I'm just unlucky though.

> Although not quite working through a dictionary attack, it is definitely a 
> preprepared list of common user names. I traced this back to a host name of 
> zz-13-91-a8.bta.net.cn from its IP address of 202.108.13.91

Yep - dictionary attack from some compromised host.

> First, what should I do? Is this a problem for every ssh port out there and 
> how can I maintain some form of access to the machine. I tend to run this 
> particular box headless and so would like some access remotely. Does anyone 
> just use rsa keys and not passwords and if so is it anymore secure?

You can restrict logins to a single group or single user. I tend to pick 
a single user (non-obvious name) and then "su" to whoever once logged 
in. You can also give the remote user a restricted shell if you think it 
beneficial.

The other thing is to restrict access to a handful of IP addresses that 
you control. This is not always practical if you need to "dial in" from 
a laptop and mobile phone and don't know your IP. Even then, you might 
be able to deny some fairly large blocks of IP numbers.

> Second, is there anything I should do about this attacking box or is it just 
> not worth it?

There are scripts out there that parse your logs and automatically add 
"bad" hosts to your firewall.

> Am I right in assuming changing the ssh port is pointless as anyone with nmap 
> will see the port I change it to anyway?

You might want to google for "port knocking" where you access a sequence 
of (closed) ports on the machine to activate the ssh daemon. There are 
plenty of other variations you can do (must access a particular web-page 
or upload a file called "asdvfd.txt" ).

> How can I tell if my passwords are strong? As I get older I find that 
> remembering new random characters is getting harder, although I have not 
> quite reached to level of writing them on a post-it note under the mousemat 
> yet. An example of a now redundant one I used in the past is Mh4Ll1FwW4s
> (Mary had a little lamb it's fleece was white as snow).

That looks fine to me, but you can try password crackers against your 
own machines (try "John the Ripper" or similar).

HTH
-- 
   Richard Huxton
   Archonet Ltd
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list