[Gllug] ssh brute force attacks

[Hari Sekhon]

Alain Williams wrote:
> Distributed ssh brute force attacks are on the rise, according to el reg:
>
> 	http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
>
> I use an iptables blocker (max 3 attempts in 3 minutes) that would be defeated by this.
>
> I also restrict *who* can login over ssh.
>
> What other means do you use to increase ssh security ?
>
> I don't really see the point of running ssh on anything other than port 22 - that
> would be defeated with a port scan.
>
> Anyone implemented port knocking - as much as in a SSH client as the server ?
>
> What else ?
>   
I use port knocking, it's pretty good, the only thing I don't like about 
it is that it requires a server behind a Nat to have too many ports 
accessible, and really you want that server to have every port forwarded 
through the firewall to the server to invalidate knocks... and then hope 
that everything is caught by iptables...so I don't use it in all cases, 
it depends on the situation.

The attack in that article is a good one around which the more standard 
rate determined defenses cannot protect. I think that the only real 
countermeasures that are practical are to

1) block the port for a period of time on any failure, but this can lead 
to DoS
2) restrict the ips that can connect to ssh to known trusted ips
3) hybrid - block all ssh connections if any failures are attempted, but 
override in iptables with whitelisted hosts so you are never locked out
4) change port to prevent drive-by-bruting... which will reduce the 
number of occurrences but not help against attacks where you are a 
target of focus
5) port knock so people don't reach your ssh  
6) fwknop, kind of like a single port knock with auth token, I haven't 
used this yet, but intend to... (also solves the Nat and replay problems)

-h

-- 
Hari Sekhon
Always open to interesting opportunities
http://www.linkedin.com/in/harisekhon

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug