Slashdot Mirror
The Low-Intensity, Brute-Force Zombies Are Back
Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."
Roll out SPA / Port knocking, their IP shouldn't be touching your sensitive ports without a rule, table, or chain specifically allowing access. FORGET THE PASSWORD!
Use a script like denyhosts, and I'm sure there are a ton of others out there that are just as good if not better. Unless your password is weak enough to be guessed in five attempts and the attacker isn't already in the denyhosts list, you shouldn't have to worry about too much. And, most importantly, just peruse your auth logs every now and then, it's not really that big of a chore.
grep -v for the win!
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
mostly good advice. you might consider using ssh keys instead of passwords, depending on your environment. the only thing i'd outright disagree with is pre-denying IP ranges based on a guess of where you're likely to log in from. i've had to leave the country on business unexpectedly on very short notice; it'd suck to have been locked out when i landed.
i speak for myself and those who like what i say.
tail -f for the bored!
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Um. You realize, of course, that remote desktop is a lot less secure than ssh, right?
It doesn't matter if people are trying to pick the lock on your door. What matters is whether they can pick the lock. Use RSA-based authentication, and no amount of brute force is going to improve the odds of their breaking in to the point where it's worth bothering.
Remote desktop, on the other hand, is completely brute-forceable. If you're not seeing brute force attacks, it's because nobody's bothering, not because you're not vulnerable.
I would suspect it's going after port 22 only. If your smart enough to move the port from 22, your probably smart enough to use key pairs and then what is the point of trying to brute force you? Focusing on default 22 is a good strategy because you'll find those who have completely defaulted settings, weak passwords, etc.
grep -v |tail -f for the smart and lazy
Nice in the short term but giving people an easy way to add rules to your firewall may create hassles later once miscreants know that is what you are doing. Some people have scripts that implement temporary blocking so it doesn't hurt much on the day that some script kiddie decides to have fun with them by forging attacks from different addresses.
Is that good reason: You're an idiot?
If someone is logging into your root account with your key, then it doesn't matter, you're already thoroughly compromised.
If someone is logging into your key-only root account WITHOUT your key... you have much bigger problems.
There is no case where disabling root login will protect you, except perhaps from yourself.
Wouldn't it be better to TARPIT them rather than --reject-with tcp-reset? That said, if they are generating one query from each IP address and trying to log in more than 300 seconds apart this may have no effect. Perhaps all firewalls without ssh enabled should TARPIT attempts to connect to slow this down. Perhaps one could create a script on all computers to change the ssh port, assumes you are using a nonstandard high port, as a function of time and to tarpit all other ports.