SSH Password Gropers Are Now Trying High Ports 349
badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?
Low Hanging Fruit (Score:5, Informative)
It's still just going after low-hanging fruit. Anyone weth any real awareness of security does now allow password-only SSH connections anyway. Key based auth and fail2ban is pretty much required these days. You can always add some port knocking to obscure it a bit if you don't like reading about failed access attempts.
Comment removed (Score:5, Informative)
Re:Low Hanging Fruit (Score:5, Informative)
I've been using key based authentication for ssh for years. I just moved the service to a high port to get rid of all the script kiddy password guessing attempts that were clogging my log file. I also added a "throttle" in iptables:
# Block brute force attacks
# Drop repeated ssh connection attempts within 20 seconds interval
-A INPUT -p tcp -m tcp -m state -m recent -i eth1 --dport 22222 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource
# Accept ssh connection if not attempted within past 20 sec.
-A INPUT -p tcp -m tcp -m state -m recent -i eth1 --dport 22222 --state NEW -j ACCEPT --set --name THROTTLE --rsource
It just cuts down on the noise. I used the same technique back when people were doing the DNS cache poisoning attacks to limit how many hits my DNS could get from the same source (first query should update the cache in a legitimate site's DNS so no reason why I should get repeated hits from the same site).
Cheers,
Dave
SSHGuard FTW (Score:4, Informative)
I'll probably have to go learn about key-based security. But meanwhile, I'm really happy with sshguard. It defends against brute force attacks by monitoring logs and aplying increasingly (exponentially) tougher time-outs as attacks from IP addresses continue. It's reduced my log from 100s of entries per day to about 15. http://www.rferl.org/content/world-press-photo-winners/24903576.html [rferl.org]
They've got it in FreeBSD ports, which makes it easy to install into an existing firewall.
Re:Low Hanging Fruit (Score:5, Informative)
iptables (Score:5, Informative)
If you want to end almost any possibility of brute force, load this with iptables:
Those three lines will slow the amount of connections by the same ipaddress to sshd. When the attacker reaches 4 hit counts it will be blocked for 60 seconds before resetting. If the attacker keeps attacking before the 60 seconds are up it will reset the the time limit to another 60 seconds. Have been using it for years and it is extremely effective. Even a botnet attack (which is unlikely) would be futile because there just aren't enough attempts.
Seriously, this type of thing should be built directly into ssh. If not this sophisticated, then at least it should include attempt and restart delays which would not be as effective but beat the hell out of the default behavior.
Re:Low Hanging Fruit (Score:4, Informative)
Re:Low Hanging Fruit (Score:4, Informative)
It's actually quite hard to spoof anything now. No domestic connection will forward packets that don't from from the designated IP address. You need to have access to either the LAN of a decently-sized corporation or the internal network of an ISP. Easy enough for skilled hackers to get, yes - they can compromise a device somewhere - but beyond the script kiddie.
Re:Low Hanging Fruit (Score:5, Informative)
I'd use TARPIT [wikipedia.org] instead.
Re:Low Hanging Fruit (Score:4, Informative)
Yes, as part of a defense in depth and not as a measure by itself.
Re:The length of the VPN's password (Score:4, Informative)
So your saying a 32 char password is better then a 16 char password, whoda thunk it.
Or, to rephrase that, all you've done is make it 500 trillion times harder to crack your ssh (if you're using good passwords), if you are using keyfiles for both then there pretty much needs to be a remote exploit in both the listeners.
Re:Don't rely ONLY on security-though-obscurity (Score:2, Informative)
There, I fixed the title for you.
I use both a nonstandard port as well as Denyhosts. My block file only numbers in the hundreds, yours in the many thousands. Why? Because every random scan that hits my system flags my IP as "not likely" and moves on, when it hits your IP you get flagged as "valid target" and then you get hit with focused attacks.
If you're going to pretend to understand security, then at least get the saying right. Yes, it's never a good idea to only use obscurity, but there's rarely any valid reason to NOT use it as part of a layered model.
Better than that... (Score:4, Informative)
The below will create a dynamic blacklist. Any IP address that connects more than three times in five hours (pass or fail) will go into a blacklit that will persist until they stop trying for at least a day.
This will recodr your bad actors _and_ it will "expire" in case you invalidate a system by accident (e.g. over-use).
iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE