[Gllug] ssh brute force attacks

Robert McKay robert at mckay.com
Mon Dec 8 20:49:20 UTC 2008


On Mon, Dec 8, 2008 at 4:02 PM, James Holland <holland.james at yahoo.co.uk> wrote:
> On Mon, 2008-12-08 at 15:48 +0000, Alain Williams wrote:
>> Distributed ssh brute force attacks are on the rise, according to el reg:
>>
>>       http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/
>>
>> I use an iptables blocker (max 3 attempts in 3 minutes) that would be defeated by this.
>>
>> I also restrict *who* can login over ssh.
>>
>> What other means do you use to increase ssh security ?
>>
>> I don't really see the point of running ssh on anything other than port 22 - that
>> would be defeated with a port scan.
>
> I always change the port and this *always* cuts out attempted logins
> completely...

I've taken to not running sshd on any port at all (at least on my home
machines). Instead, I run ssh over http using proxy2ssh
(http://wari.mckay.com/~rm/proxy2ssh/).

It's a hack I came up with a while ago mainly to solve the opposite
problem of how to connect to an ssh server through a restrictive http
proxy.. however it turns out to be almost as useful when thinking
about ways to get in rather than out. I'm pretty sure I've posted
about it here before too, but oh well.

Originally I had it so that the cgi used nc to connect to the normal
sshd running on port 22 (which I then firewalled off from non-local
accses) but it has recently been pointed out to me that you can just
invoke sshd -i directly from the cgi:
http://wari.mckay.com/~rm/proxy2ssh/sshd.sh.txt.

(Requires the following sudoers entry to let the cgi invoke sshd as root)
Cmnd_Alias      SSHD = /usr/sbin/sshd
www-data        ALL = NOPASSWD: SSHD

Actually it doesn't really need root -- sshd can run as a normal user
too, but if you don't invoke it as root then you'll probably only be
able to log in as www-data (or whatever your apache runs as) or maybe
your own user if you are using suexec cgis (haven't tried this - it
aught to work fine but requires a bit of work setting up alternate
sshd_config config files, keys, etc).

Anyway.. with all that stuff in place you can ssh in using a URL (via
the http://wari.mckay.com/~rm/proxy2ssh/client.txt  ProxyCommand
script) instead of a port which most likely the attacker won't be
expecting. Even if they are, they'd need to know your URL somehow.. I
suppose that could be leaked through a proxy log or network sniffing..
but that goes for port knocking or any other stupidity as well.

Not really security per say and it probably is more vulnerable to DOS
attacks than ssh would be listening on the port itself... but I
haven't really had any problems so far (just be careful when you
restart apache ;).

Rob.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list