10 May
2012
10 May
'12
4:23 p.m.
Hello,
It's been a while since I last posted a reminder about protecting
against SSH dictionary attacks.
http://lists.bitfolk.com/lurker/message/20100314.085112.f5be7da9.en.html
The problem of course has not gone away and since then there have
been many more compromises that could have been easily avoided.
So, please, if you are running sshd on port 22 and allowing password
authentication, please consider taking some steps to protect
yourself. It can very easily happen to you, and aside from the
damage it can cause to other hosts on the Internet it risks
significant downtime for your own services.
I wrote up some more info from previous discussions:
https://tools.bitfolk.com/wiki/Protecting_against_SSH_dictionary_attacks
If you have further input please do feel free to add to the above
wiki article.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
10 May
10 May
4:50 p.m.
New subject: A gentle reminder again about protecting against SSH dictionary attacks
Just in case you are interested in statistics, I have been running
Fail2Ban since May 2010 and since then I've had around 6.5k emails
informing me that an address has been blocked, or about 9 attempts per
*day*.
I think your customers would be a lot more likely to install Fail2Ban
if they knew just how common this sort of attack was.
James
On Thu, 10 May 2012 16:23:31 +0000
Andy Smith <andy(a)bitfolk.com> wrote:
Hello,
It's been a while since I last posted a reminder about protecting
against SSH dictionary attacks.
http://lists.bitfolk.com/lurker/message/20100314.085112.f5be7da9.en.html
The problem of course has not gone away and since then there have
been many more compromises that could have been easily avoided.
So, please, if you are running sshd on port 22 and allowing password
authentication, please consider taking some steps to protect
yourself. It can very easily happen to you, and aside from the
damage it can cause to other hosts on the Internet it risks
significant downtime for your own services.
I wrote up some more info from previous discussions:
https://tools.bitfolk.com/wiki/Protecting_against_SSH_dictionary_attacks
If you have further input please do feel free to add to the above
wiki article.
Cheers,
Andy
5:36 p.m.
New subject: A gentle reminder again about protecting against SSH dictionary attacks
On 10/05/12 17:50, James Stanley wrote:
Just in case you are interested in statistics, I have
been running
Fail2Ban since May 2010 and since then I've had around 6.5k emails
informing me that an address has been blocked, or about 9 attempts per
*day*.
Is that all? /var/log/auth.log lists 13,965 failed passwords between
11:33 and 18:54 *yesterday*.
I think your customers would be a lot more likely to
install Fail2Ban
if they knew just how common this sort of attack was.
These are my security measures:
PermitRootLogin no
AllowUsers foo bar baz
grep "Failed " /var/log/auth.log.0 | awk '{ print $11 }' | sort | uniq
-c | sort -V | less
shows where most of the attempts are going, very roughly sorted
into number of attempts. None of them use valid usernames for this
box.
In my opinion it's not worth getting worked up about.
If you are worried about *targeted* dictionary attacks, i.e.
someone going for *you* with thousands of passwords, rather
than thousands of machines with a handful of weak passwords,
then Fail2Ban makes sense. Or just make sure you have strong
passwords. Or switch to keys.
6:38 p.m.
New subject: A gentle reminder again about protecting against SSH dictionary attacks
On 10/05/2012 18:36, Dom Latter wrote:
These are my security measures:
PermitRootLogin no
AllowUsers foo bar baz
Mine too, plus TCP Wrappers to only permit addresses from a couple of
subnets.
Mike
5:17 p.m.
New subject: A gentle reminder again about protecting against SSH dictionary attacks
On Thu, May 10, 2012 at 5:23 PM, Andy Smith <andy(a)bitfolk.com> wrote:
Hello,
It's been a while since I last posted a reminder about protecting
against SSH dictionary attacks.
Hi all,
I was thinking about this and the PHP exploit that was mentioned yesterday.
I haven't looked into this, so please bear with me... I wondered if it
was possible to pool resources (a honeypot?) and/or knowledge in terms
of intrusion attempts, etc. Are the attacks that I receive (a lot of
dictionary/brute force attempts and proxy scans) part of someone/thing
simply scanning a range of Bitfolk IPs?
Would it not make sense to share this information or is this too much effort?
Cheers, Gerald
5:32 p.m.
New subject: A gentle reminder again about protecting against SSH dictionary attacks
Hi Gerald,
On Thu, May 10, 2012 at 06:17:31PM +0100, Gerald Davies wrote:
Are the attacks that I receive (a lot of
dictionary/brute force
attempts and proxy scans) part of someone/thing simply scanning a
range of Bitfolk IPs?
They are scanning the entire Internet.
Actually when I do investigations of compromised hosts that have
been engaging in SSH scanning, if I'm lucky enough to find a
.bash_history I often find that the tools used to do the scanning
are quite primitive and only accept IP ranges like:
x.y.z.*
x.y.*
i.e. not CIDR¹ notation. I often find they've done things like
./a 164.238
./a 62.76
./a 192.100
to scan against a few big blocks of addresses.
Would it not make sense to share this information or
is this too much effort?
Would the goal of this to be to block abusive hosts before they have
a few tries against your own host?
I can see a few tricky issues around the possibility of a bug,
mistake or hostile user injecting arbitrary IPs into the system
causing everyone to ban those IPs.
I can see how someone with multiple machines might want a site-wide
block list, but I'm not sure it is worth it for use by multiple
different admins. You'd have to put a lot of effort into securing
it. Seems easier to just protect yourself with the more conventional
ways.
Cheers,
Andy
¹ http://en.wikipedia.org/wiki/CIDR#Subnet_masks
--
http://bitfolk.com/ -- No-nonsense VPS hosting
4609
days inactive
4609
days old
5 comments
5 participants
participants (5)
-
Andy Smith -
Dom Latter -
Gerald Davies -
James Stanley -
Mike Zanker