Rundown on SSH Brute Force Attacks

← Back to Stories (view on slashdot.org)

Rundown on SSH Brute Force Attacks

Posted by Zonk on Saturday July 16, 2005 @05:25AM from the more-you-know! dept.

An anonymous reader writes "Whitedust has a very interesting article on the recent SSH brute force attacks. The article goes into depth on how to monitor these attackes and to report them to the authorities. It also discusses various tools that are available. According to the article, mostly compromised Linux systems from outside of North America are responsible for the attacks. Even the author's DSL connection was getting break-in attempts."

30 of 360 comments (clear)

Min score:

Reason:

Sort:

As always... by jsight · 2005-07-16 05:28 · Score: 5, Informative

If possible, restrict access by source IP address, limit the user accounts w/ SSH access, and don't allow remote root logins.

Another step to improve security if there are very few users is just to ONLY allow public key authentication. I've never seen such a box compromised remotely.

--
Throw the bums out!
1. Re:As always... by MyDixieWrecked · 2005-07-16 05:48 · Score: 3, Informative
  
  I run a webserver out of my room for a dozen or so of my friends.
  
  I've just started disabling shell access to the users of my system by default. If they want to log in with ssh, they have to explicitly enable it from the web-based front-end.
  
  I tried forcing public-key authentication, but I kept running into trouble when I was away from home and needed to log in from someone else's computer.
  
  I've got some explicit rules in iptables, also, where I've been blocking entire IP blocks (ie- I've got several countries blocked completely). Whenever I notice a string of failed login attempts, I do an ARIN lookup of that IP block. So far, nearly every attack has come from korea, so I 've been blocking off those addresses as they come.
  
  I should probably only allow ssh access to american addresses... I know one should always make time for security, but I just haven't had the time to look into how to do that.
  
  also, I've got root login enabled only because I've got a backup script running that mirrors /home and a couple other directories over to my backup server. But root has a very, very strong password. took me weeks to memorize it.
  
  --
  
  ...spike
  Ewwwwww, coconut...
2. Re:As always... by clymere · 2005-07-16 06:06 · Score: 3, Informative
  
  try putting your public keys on a usb thumb drive. Toss putty on there as well, and you've got what you need no matter where you're at ;)
  
  --
  once you go slack, you never go back
3. Re:As always... by makomk · 2005-07-16 06:11 · Score: 2, Informative
  
  Disallowing remote root logins isn't going to help keep people from brute-forcing SSH. It just means they can't brute-force root. Since root usually has the best password, I'm not sure that's really important.
  
  Perhaps, but root is the obvious target - it's both the most powerful account, and the only one that exists on all systems. With user accounts, there's the problem of guessing a valid account name.
4. Re:As always... by Homology · 2005-07-16 06:23 · Score: 4, Informative
  
  If possible, restrict access by source IP address, limit the user accounts w/ SSH access, and don't allow remote root logins.
  Another step to improve security if there are very few users is just to ONLY allow public key authentication. I've never seen such a box compromised remotely.
  
  No kidding? By disallowing password authentication you've stopped the script kiddies dead in their tracks. As for disallowing root access, here are some words from an OpenBSD developer:
  
  ... All unmitigated horseshit. Sorry. Look I use sudo, and I like it. but it is no substitute for allowing root login to a box, and is no substitute for "su", Sorry. They are different. I don't want to add a billion sudoable local accounts to run boxen in a distributed authentication environment. I want "root" local, and be done with it. I want root exposed if someone knows the root password, not if someone knows the root password or fourteen other idiot's passwords that are used every day. That's not more secure. If you want a useful diff to help stop this ridiculous discussion from propping up every little while. Here's what I propose: ....
  Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a fucking break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 bullshit will make a damn bit of difference. -Bob
5. Re:As always... by Wonko · 2005-07-16 06:31 · Score: 2, Informative
  
  try putting your public keys on a usb thumb drive. Toss putty on there as well, and you've got what you need no matter where you're at ;)
  
  First of all, your public key goes onto the server you are logging into. You need your private key on the client.
  
  Second, it isn't very secure to use your private key from an untrusted machine. What you want to use from untrusted machines are one time passwords.
6. Re:As always... by Ann+Elk · 2005-07-16 06:35 · Score: 4, Informative
  
  Moral of the story? AllowUsers is a really good idea :-P
  
  And running Apache as root is a Really Bad Idea (tm).
7. Re:As always... by feronti · 2005-07-16 06:43 · Score: 5, Informative
  
  Speaking of which, why is it said not to login as root over SSH? The only plausible reason I've ever heard is that the encryption is stronger after the login is complete, so your root password is safer if you 'su' to root after logging into another account.
  
  I think it may be due to an old vulnerability. In versions of OpenSSH earlier than 2.5, you can discover the length of the password using traffic analysis. Basically you look for the following sequence of packets:
  
  C: 1 packet (s) S: 1 packet (echo s) C: 1 packet (u) S: 1 packet (echo u) C: 1 packet (newline) S: 1 packet (echo newline) S: 10 packets ("Password: ") C: x packets (the password) C: 1 packet (newline) S: 1 packet (echo newline)
  Basically, since the x packets aren't echoed, we know that they are the password. We don't know the contents of the packets, but we now know the length of the password, which can help tremendously in brute force and dictionary attacks (we can eliminate a huge portion of the search space by only searching passwords of length x).
  This technique worked for both SSH-1 and SSH-2 protocols. For more detail, (and a better, more accurate description of how the vulnerability worked) you can read the original security advisory.
  
  Another problem with logging in directly as root is that you no longer can audit who is logging in as root in an environment where multiple users have root access.
8. Re:As always... by Tassach · 2005-07-16 08:26 · Score: 2, Informative
  
  Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw
  That may have been the reason you did it in the past, but it's not the reason you do it now. The reason for not logging in directly as root (or under any other shared accout, for that matter) is ACCOUNTABILITY. If you log in as root directly, all that gets logged is the host you came from. If you force them to log in as themselves, and then su to root, you have a record of who did it. This is important when you have a machine where a dozen admins all know the password to a shared account.
  
  --
  Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
9. Re:As always... by Tuck · 2005-07-16 17:49 · Score: 2, Informative
  
  Is there a way to implement one time passwords with ssh?
  
  Yes, there's several. Some SSH software has S/Key support (eg OpenSSH "./configure --with-skey"). The most current S/Key implementation seems to be the one in Wietse Venema's logdaemon package.
  
  You can also do OTP through PAM or BSDauth if your platform supports those, eg pam_skey, pam_opie (OPIE: One-time Passwords In Everything)
  
  Several systems have either S/Key or OPIE support natively (OPIE seems to be becoming the more popular of the two).
  
  --
  $ find /pub -beer "James Squire Amber Ale" -drink
Easy fix by Anonymous Coward · 2005-07-16 05:32 · Score: 4, Informative

i have had this on a number of occasions.. i just set the max auth attepts to 4, this renders the attempts useless
1. Re:Easy fix by tek.net-ium · 2005-07-16 06:02 · Score: 5, Informative
  
  RTFM. sshd_config(5) MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. Crackers will just open up more connections.
2. Re:Easy fix by Mr+Z · 2005-07-16 11:15 · Score: 2, Informative
  
  I'd also suggest "MaxStartups 2" to prevent them from opening a bunch of connections in parallel.
  
  --
  Program Intellivision!
DenyHosts by roubles · 2005-07-16 05:33 · Score: 5, Informative

I use DenyHosts http://denyhosts.sourceforge.net/ from a cronjob. It detects any suspicious logins in /var/log/auth.log and adds the ip address of the user into the /etc/hosts.deny file. It also sends me an email telling me the IP address that was last added to the file.

Lately I have been getting atleast 1 hack attempt a day on my personal computer connected to the internet over a cable connection. On weekends I get more.

Just this morning I had two ssh dictionary attacks. DenyHosts caught them both.
1. Re:DenyHosts by cirisme · 2005-07-16 08:21 · Score: 2, Informative
  
  I have to second DenyHosts, it is truly an awesome tool. My favorite feature is that it will find IP's with more than X failed attempts, and at least one successful login and warn you that there have been suspicious log-ins.
  
  Very powerful feature, imho.
Non-default Port by fire-eyes · 2005-07-16 05:35 · Score: 2, Informative

Use a non-default port on any service whenever possible. This simple change goes a long way. Obviously it is not all you should do.

--
-- Note: If you don't agree with me, don't bother replying. I won't read it.
1. Re:Non-default Port by ak8b · 2005-07-16 05:47 · Score: 2, Informative
  
  I second this one. I went from several a day to zero since I changed the incoming port. I have my router (a DI-604) do the port change/forward so that I didn't have to change anything on the Linux box or deal with it within my internal network.
Attacks are a sad reminder on stupidity by m.dillon · 2005-07-16 05:36 · Score: 2, Informative

I get 40 of these a day across half a dozen machines. They only try a small combination of trivial passwords for accounts like 'root' and 'test' and 'admin', and occassionally user names using the same user name as the password, etc. Really quite sad considering that most Linux and BSD installs disable passworded-root logins via ssh by default. My guess is that they are going after Windoz boxes which for some unfathomable reason still allow people to do stupid things with passwords.
I got annoyed enough that I wrote a little script to pull the data out of my logs in real time and add an entry to my firewall, but the attacks are harmless to any sysadmin with a clue.

-Matt
Use another port by objorkum · 2005-07-16 05:37 · Score: 5, Informative

Use another port than 22. I have not noticed one single bruteforce attempt after I did that.

--
objorkum dot com
1. Re:Use another port by HermanAB · 2005-07-16 06:37 · Score: 2, Informative
  
  You can use this method to limit login attempts. It will allow a burst of 5 new connection attempts, then limit at a rate of 1 per second.
  
  # Protect against DOS attacks - rate limit various ICMP messages
  $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  $IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
  $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST -m limit --limit 1/s -j ACCEPT
  
  --
  Oh well, what the hell...
Re:Highly annoying by IDreamInCode · 2005-07-16 05:41 · Score: 2, Informative

bfd is a good program to run with APF.

http://www.rfxnetworks.com/bfd.php

it looks through your /var/log/secure file and automatically adds attackers to your /etc/apf/deny_hosts.rules file.

It works really well for me. Catches a lot of attackers.
why not disable passwords entirely? by toby · 2005-07-16 05:45 · Score: 4, Informative

If you only need access from a limited set of machines which can have pre-generated keys, you can disable password authentication entirely (PasswordAuthentication no) and use RSA instead, with optional passphrase. In addition to PermitRootLogin no, I suggest judicious use of AllowUsers in sshd_config.

--
you had me at #!
1. Re:why not disable passwords entirely? by ngunton · 2005-07-16 06:12 · Score: 2, Informative
  
  Careful if you're doing this on a remote host that you don't have easy console access to (e.g. co-located or rented from a hosting company). If you happen to delete or otherwise lose the key on your local computer (or if you need to login from another computer for some reason) then you'll be unable to.
Dynamically blocking with iptables by meisenst · 2005-07-16 05:49 · Score: 3, Informative

I tried to post this in the talkback on the article but it got horribly munged.

Here are the iptables rules I use to dynamically stop this kind of thing (with a good degree of success):

# SSH
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j DROP
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT --to-destination $INTERNAL:22
-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22

Your mileage may vary. This blocks attempts for 1 minute after 3 attempts (successful or failed, so if someone forgets their password, they may trip it as well).

--
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
These have been going on for a long time by angst7 · 2005-07-16 05:56 · Score: 3, Informative

I've been logging and reporting these attacks since last October (when I first started using BFD). I'm figuring they've been going on for a long long time. A simple install of APF and BFD will keep you from having too much trouble though. That and making sure noone is using easy to guess passwords.

APF and BFD can be got here: RFX Networks.

--
StrategyTalk.com, PC Game Forums
easy fix by gyratedotorg · 2005-07-16 06:07 · Score: 2, Informative

if your ssh server needs to be publicly available, you can always have it listen on a different port. that seems to thwart 100% of these automated attacks.

--
Gyrate Dot Org - "Where high-tech meets low-life"
Re:sshdban.sh by Anonymous Coward · 2005-07-16 06:39 · Score: 1, Informative

# You'd like awk awk '/Illegal user/ { print " ALL:" $10 ":deny" }' \ /var/log/authlog | uniq >> /etc/hosts.allow
Re:Won't work by _fuzz_ · 2005-07-16 06:42 · Score: 2, Informative

If the people you are giving shell accounts too are not smart enough to figure out how to change the port on the client, you have other problems. The exception to this may be restricted accounts, such as sftp. But if people are smart enough to change the dropdown from "ftp" to "sftp," they are smart enough to change the port value from 22 to 22222.

Changing the port does work. I went from having hundreds of attacks a day to zero. Not a single attempt in months.

--
47% of all statistics are made up on the spot.
Re:Highly annoying by A+non-mouse+Cow+Herd · 2005-07-16 07:48 · Score: 2, Informative

Take this example. You run a fairly successful ecommerce site in a very competitive space. One of your competitors discovers you use this method and decides they don't want you to compete with them on Googe, Yahoo etc. They setup a script that bangs on your box once a day spoofing all the known bot IP addresses. After a while you will start to wonder why you aren't in the indexes any longer.
Eh no. For an ssh login to fail, you have to actually establish a TCP connection, which makes spoofing rather difficult. Not only do they have to spoof the IPs, but they have to convice the internet to route googles IPs to you. If they can do that, causing you to blackhole googlebot is the least of your worries. If you were doing this on a stateless UDP protocol, that would be another matter. If ssh is your primary access to the machine, it is almost certainly a good idea to make sure your own IPs are whitelisted, and of course you want to keep an eye on any process like this.
Re:Highly annoying by zeno921 · 2005-07-16 13:51 · Score: 2, Informative

I use Python script called BlockHosts to block hosts that fail more than a given number of times in a row. These types of attacks get quite annoying so it's nice to know they're getting blocked after a few tries.