Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coping With 1 Million SSH Authentication Failures?

Posted by kdawson on from the some-definitions-of-managed dept.

An anonymous reader writes "I own a small Web development studio that specializes in open source software, primarily Drupal, WordPress, and Joomla for small businesses. Our production servers, which host about 50 sites and generate ~20K hits/week, are managed by a 3rd party that I'm sure many on Slashdot would recognize. Earlier today I was researching some problems on one of our sites and found that there have been over 1 million SSH authentication failures from ~1200 IP addresses on one of our servers over the last year. I contacted the ISP, who had promised me that server security would be actively managed, and their recommendation was, 'change the SSH port!' Of course this makes sense and may help to an extent, but it still doesn't solve the problem I'm facing: how do you manage server security on a tight budget with literally no system admin (except for me and I know I'm a n00b)? User passwords are randomly generated, we use a non-standard SSH port, and do not use any unencrypted services such as FTP. Is there a server monitoring program you would recommend? Is there an ISP or Web-based service that specializes in this?"

75 of 497 comments (clear)

  1. fail2ban by Anonymous Coward · · Score: 5, Informative

    fail2ban, key-auth

    1. Re:fail2ban by jimpop · · Score: 5, Informative

      > fail2ban, key-auth

      +1

      Change port. Use iptables to only allow access from known subnets/hosts.

    2. Re:fail2ban by sstern · · Score: 2, Informative

      Install OSSEC, too. There may be other stuff going on.

      --
      --Steve
    3. Re:fail2ban by B'Trey · · Score: 2, Informative

      And use DenyHosts

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    4. Re:fail2ban by Kugrian · · Score: 4, Funny

      Someone fucked up big time when they taught you html:
      [url]http://www.fail2ban.org/[/url]

    5. Re:fail2ban by mellon · · Score: 4, Insightful

      This is really cool until you find yourself trying to log in from the same access point where somebody with a virus was attached earlier in the day. Better to just use crypto (key-based authentication only) and rate-limiting.

    6. Re:fail2ban by daveime · · Score: 3, Funny

      Because it your production server is *nix, you are probably *already* running a shitload of random scripts written by unknown cunts ?

    7. Re:fail2ban by Sandman1971 · · Score: 4, Informative

      Not only use something like DenyHost or Fail2Ban, but firewall off all IP classes from Asia, South America and any other region that you know you'll never SSH from. I can easily get the /8s and such that are in use by each region (just look up Apnic, RIPE, etc...).

      --
      It's better to burn out than to fade away
    8. Re:fail2ban by Anonymous Coward · · Score: 2, Informative

      Or block when connections per time interval exceed a given number:
      iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
      In this case, more than 4 attempts in a minute

    9. Re:fail2ban by venom85 · · Score: 2, Informative

      This is really cool until you find yourself trying to log in from the same access point where somebody with a virus was attached earlier in the day. Better to just use crypto (key-based authentication only) and rate-limiting.

      That depends on how you have Fail2Ban set up. If you have it set to block for a very long period of time, then yes, this would be a problem. But I have it set to just block for 10 minutes. Even if I manage to lock myself out accidentally, I only have to wait 10 minutes. That short 10 minute block is usually more than enough to make bots move on. I've had a few of them continue to hammer away after the 10 minutes are up, but in a couple years it's been a very small percentage.

      And to the guy who suggested using DenyHosts in addition to Fail2Ban, you're wasting your time. Fail2Ban performs the exact same thing as DenyHosts, but Fail2Ban does it for more services besides SSH. They're both good tools, but using them together is just unnecessary.

    10. Re:fail2ban by codeguy007 · · Score: 3, Interesting

      Nobody's going to guess a 2048-bit RSA key.

      No but they can steal if from your users' computers. It's one thing to have staff use keys when they are on your secure network but having users who are out on the web using keys when you can't control the security on their machines is only as secure as your dumbest client. Of course if they can hack and steal keys, they can probably steal passwords as well. For remote access one of the securest ways is using a security token. Every time user logs in they have to enter a different number.

    11. Re:fail2ban by gmack · · Score: 5, Informative

      fail2ban firewalls off the port for a time you specify

      DenyHosts blocks the ip in /etc/hosts.deny

      I find fail2ban to be much more effective since I can use it for more than just SSH (on my system: ftp, imap, pop3, ssh, smtp). Some of the newer botnets will attempt to crack the password using another service and then try the resulting password on ssh so it's important to have more complete coverage.

    12. Re:fail2ban by micheas · · Score: 2, Interesting

      Nobody's going to guess a 2048-bit RSA key.

      http://ftp.de.debian.org/debian/pool/main/o/openssh-blacklist/openssh-blacklist_0.4.1.tar.gz

      If the 2048 RSA key is one of these they probably will, get it, especially if they have a million chances.

      --
      Work bio at MMWD
    13. Re:fail2ban by X0563511 · · Score: 2, Insightful

      Because stealing RSA/DSA SSH keys is so much more common than dictionary/brute attacks...

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    14. Re:fail2ban by DeadboltX · · Score: 2, Interesting

      is there any advantage to fail2ban over denyhosts ?

    15. Re:fail2ban by turbidostato · · Score: 2, Interesting

      "Because stealing RSA/DSA SSH keys is so much more common than dictionary/brute attacks..."

      You seem to forget that if you are seeing those attack levels is because of user computers already rooted, so anything on the client's side it's already at the attacker disposal. What do you prefer? Seeing thousands of failed login attempts in your logs or not seeing anything because the attack succeded by taking control of the ssh keys on the client's machine?

    16. Re:fail2ban by phoenix321 · · Score: 2, Interesting

      The best authentication relies on two factors, what you have and what you know.

      A rooted client gives the attacker access to at least one part of that.

      A separate physical RSA token is probably the only thing to prevent that, since they work without being attached to the authenticating system and even full scale keylogging monitored by a squad of hackers in rotating shifts will not really suffice.

    17. Re:fail2ban by gmack · · Score: 2, Informative

      More accurately it blocks the attacker's IP at the firewall.

  2. Hardware firewall or use bfd by Golbez81 · · Score: 3, Informative

    bfd (and apf if you like it) are probably the best software solutions your gonna find, but if you're facing 1 million+ auth failures, I would seriously consider a hardware firewall and VPN of some sort.

  3. Tar Pitting by spydum · · Score: 4, Informative

    I'm a big fan of tarpitting SSH connections myself. It dramatically cuts down on the repeated ssh attempts, and keeps my logs much cleaner.

    Basically, an iptables rule:
    -A INPUTCHAIN -m state --state NEW -m recent -p tcp --dport 22 --update --seconds 30 --hitcount 4 --rttl --name SSH -j DROP

    1. Re:Tar Pitting by Anonymous Coward · · Score: 2, Informative

      Fail2ban can do stuff that automatically!

    2. Re:Tar Pitting by jonesy2k · · Score: 4, Informative

      That's not tarpitting. Tarpitting involves keeping the connection open in order to tie up the resources of the attacking host.

    3. Re:Tar Pitting by Anonymous Coward · · Score: 5, Interesting

      I use a variation on tarpitting that has worked very well for me.
      It cut the attempts down from 60,000/day to 20 or 30 per day.

      I just add a small delay between the initial connection attempt
      and when I send the username/password prompt. The delay (in
      seconds) is the number of attempts in the last 30 minutes,
      squared. This makes all but the most determined attacker
      give up and go away very quickly.

      I have been using this with both FTP and SSH for the last
      year, and it works great.

    4. Re:Tar Pitting by Minwee · · Score: 4, Insightful

      Fail2ban can do stuff that automatically!

      Let me see if I have this right. If iptables can keep count of incoming connections within the kernel and drop incoming connections as they happen without any intervention from a userspace program, that's _not_ automatic.

      But running a gigantic shell script to scrape text messages out of your system logs and then call randomly chosen commands which may or may not have any effect on the observed problem some time after it occurs, then that's "doing that stuff automatically"?

      Maybe those words don't mean what one of us thinks they do.

    5. Re:Tar Pitting by luizd · · Score: 2, Insightful

      Yes, I think that this is your best solution. Instead of using iptables directly, you should check your distribution software relative option.Generally is is easier (but anyway, it will ultimately result in the same iptables command)

    6. Re:Tar Pitting by cptdondo · · Score: 4, Insightful

      That, and create only a single user who can log in, that takes you to the real log in prompt. That way an attacker has to guess the one user+password, and have a legitimate userid+password to gain access.

      It's not foolproof, but it foils the vast majority of script attackers.

      And DISABLE ROOT LOGIN!

    7. Re:Tar Pitting by IQgryn · · Score: 4, Interesting

      How would one go about implementing this delay?

    8. Re:Tar Pitting by schon · · Score: 4, Informative

      iptables -N autoban
      iptables -I INPUT -p TCP --dport 22 -j autoban
      iptables -A autoban -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
      iptables -A autoban -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

      Any site that connects more than 4 times in 60 seconds gets all packets subsequently dropped.

      You could change DROP to TARPIT (if your kernel supports it) to fuck with them a little more.

    9. Re:Tar Pitting by JackieBrown · · Score: 3, Funny

      Incidentally, I would quite like to know how this AC went about implementing this.

      He'll be back. He has to wait an hour before being able to log in again.

    10. Re:Tar Pitting by StripedCow · · Score: 3, Interesting

      But what happens if you call scp from a number of scripts in parallel? You will get banned?

      The problem is that you want to act only on the failed login attempts.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
  4. sshblack by Anonymous Coward · · Score: 2, Insightful

    sshblack works very well for me. It monitors failed ssh connections and inserts entries into iptables to block the IPs.

  5. Passwords? by fm6 · · Score: 4, Informative

    Here's my excuse to ride my usual hobbyhorse about passwords being obsolete. SSH supports certificate-based authentication, which is not only more secure, it's less of a hassle for the user. Don't know if it would be practical for your application (you might tell us more about that) but it's worth a look.

    1. Re:Passwords? by markdavis · · Score: 3, Interesting

      I agree that PKI would be more secure, but it is a LOT more hassle for most users. The simple fact is, a tarpit is *extremely* effective. Even a relatively weak password is going to be nearly impossible to break if the attackers are limited to only a few tries per hour or day or whatever.

  6. fwknop by c0d3g33k · · Score: 4, Informative

    They can't fail authentication if they don't know it's there. http://cipherdyne.org/fwknop/

  7. You are being brute-forced by Anonymous Coward · · Score: 4, Informative

    Welcome to the internet -- this happens to every site with a public IP.

    First off, do not change your SSH port. It won't do a whole lot for you, and it will be more hassle than it works.

    There are a whole lot of programs available to deal with SSH brute forcing. sshguard is one of them, and it's not too bad (you can apt-get install it). It's a bit of a hack -- it just watches your logs and takes appropriate action -- but it does work.

    The other thing you can do immediately is simply turn off password authentication in ssh. Anyone getting in will need a key. This is what sourceforge and github both do. This isn't always practical for every site, but it will damn sure keep your passwords from being brute-forced.

  8. Fail2ban or denyhosts by mystik · · Score: 3, Informative

    Fail2ban or denyhosts activly target ssh. fail2ban includes rules for other services, but denyhosts includes a mechanism for sharing lists of your denied hosts w/ other admins, as well as using their ban lists to protect your ssh logins.

    --
    Why aren't you encrypting your e-mail?
  9. SSH public key authentication by whamett · · Score: 4, Informative

    This kind of brute-forcing is common. The simplest way to deal with it is to set up SSH public key authentication, disable SSH password authentication, and forget about it.

    1. Re:SSH public key authentication by ColaMan · · Score: 3, Funny

      The simplest way is to drop SSH and just use telnet. They won't be expecting that!

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
  10. Spend more than 10 minutes? by Seakip18 · · Score: 2, Informative

    Seriously. I'm in the same shoes and it's easy. I came across it pretty quick and all these SSH log in problems went away.

    Check out...waaaaait...

    What's most troubling is this:

    I own a small Web development studio that specializes in open source software, primarily Drupal, WordPress, and Joomla for small businesses

    You operate a business and you haven't figure out this chief problem yet...but you want us to help you out?

    Well...Here's the solution: denyhosts

    Someone else'll chime in with it....Just hope you read up and configure it properly....or you'll find yourself locked out of your own servers.

    --
    import system.cool.Sig;
    1. Re:Spend more than 10 minutes? by Gearoid_Murphy · · Score: 4, Informative

      add the ip address and/or hostname of all the hosts you use to access your servers into /etc/hosts.allow. If denyhosts picks up 3 failed logins from a single ip address, that address is added to /etc/hosts.deny, if this happens to be your machine (and you're having a bad day entering your password), you could get locked out of your system.

      --
      prepare the survey weasels.
  11. So? by victim · · Score: 4, Interesting

    If you really have secure passwords, the random guessers aren't going to get them. Log it and move on.

    I get thousands of Chinese hackers attempting to break into the battery monitor in my tool shed, big deal. I don't know why my battery voltage and solar current is so important to them, but they can knock themselves out all day.

    If the logs bother you then install fail2ban and configure it to lock people out after a few bad guesses. (Then be ready to unlock yourself from an alternate IP when you inevitably lock yourself out.)

    1. Re:So? by Korin43 · · Score: 2, Interesting

      I'm surprised I had to scroll down half the page to find this. Seriously, what is everyone so worried about? Just set a secure password and don't even worry about it. Assuming you have a secure password (8 characters, upper and lower case letters and numbers), even a million attempts per second will take over 3 years on average (and ssh won't let you try that often anyway). Bump that up to 12 characters and you're looking at millions of years.

  12. Move to a higher order port and use denyhosts by deadmongrel · · Score: 3, Informative

    I use one or more of these on my public facing servers.
    1. Move the default ssh port to a higher order port (5000+)
    2. Use Denyhosts http://denyhosts.sourceforge.net/ to block repeated attempts
    3. use key exchange instead of username/password
    4. use network based IPS.
    Just moving the ssh port reduced the ssh brute force attack for me. Either stop being a noob or hire a sys admin.

    1. Re:Move to a higher order port and use denyhosts by sootman · · Score: 5, Funny

      1. Move the default ssh port to a higher order port (5000+)

      Agreed. The higher the better. For the ultimate in security, I recommend 65536.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    2. Re:Move to a higher order port and use denyhosts by MrCrassic · · Score: 2, Interesting

      Changing the port might be troublesome if you're trying to SSH from public locations like airports and such. They usually leave port 22, 443 and 8080 open for their own services and block all others, so you will have to either set up VPN to get into your servers or wait until you're elsewhere. Additionally, an evenly-slightly determined hacker can still find where your sshd process is listening on by running a basic nmap scan.

      Key exchange and disabling root login is probably the best way to go. Fail2ban worked really well when my server had a Linux distro on it.

    3. Re:Move to a higher order port and use denyhosts by DavidTC · · Score: 2, Insightful

      You are assuming they are actually attacking your computer.

      They are not. They're stupid bots. Poorly written stupid bots.

      They do not do portscans, at least not of random ports. They do not attempt to find ssh elsewhere.

      I swear, I keep having this idiotic discussion. Have it about spam too. 'But why would you block email servers that don't appear to understand the SMTP protocol? Spammers can just write better servers.'

      We're not trying to block hypothetical attacks. We're not trying to stop hypothetical tools that go out and find ssh servers.

      We're trying to stop the actual attacks that are actually happening from totally idiotic craptastic software criminals are currently using.

      Forcing them, at the very least, to high competent amoral programmers, instead of the incompetent boobs they apparently hire currently.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    4. Re:Move to a higher order port and use denyhosts by Sancho · · Score: 2, Insightful

      I used to feel the same way. But really, moving the port lets you focus on the real threats.

      Look at it this way: if you are being targeted with a sophisticated hack, any dangerous attempts to log in to port 22 will get lost in the massive amount of bot traffic. But if your SSH server is on port 12344, then the reports in your logs will be more meaningful. You'll know that someone was conducting real reconnaissance and you can start worrying. There's no reason that you can't change the port as well as requiring keys to log in.

      Relying on a secret port is security through obscurity. Utilizing a non-standard port to filter out bot traffic in your logs logs so that you know when you're really being attacked is actually fairly smart. Sure, maybe one day the bots will start port-scanning first, but for now, it's sound.

    5. Re:Move to a higher order port and use denyhosts by jon3k · · Score: 2, Insightful

      You're missing the point. The goal of moving it is to stop the botnets. Now if you see failed attempts to login via SSH on port 12345 you know that it's a much more sophisticated directed attack on your host. Moving the port is more about filtering out the noise.

  13. BlockHosts by psychosis · · Score: 2, Informative

    We started using BlockHosts to feed iptables rules, and our failure logs went from 30-50k per day to 100. Basically, with more than 'x' failed logins within 'y' time frame, the source IP is blocked for 'z' time period. Since it uses iptables, you could block it from just the ssh port, or the entire system (we do the latter).
    All three variables are configurable, and we also have whitelisted a few select standby IPs for contingency use. (As another poster said, you **will** lock yourself out eventually.)

  14. Re:whatcouldposiblygowrong by jo_ham · · Score: 4, Funny

    He could get trolled on slashdot by the very people he's coming to ask for help to become *less* of a noob.

    I'll bet you teach your kid gun safety by shooting him in the neck.

  15. Throttle Inbound Connections by Padrino121 · · Score: 5, Informative

    I have a similar situation and cannot limit to very specific IP ranges. I have done the following with good success. I pulled some examples from my configuration that can be tweaked for yours if you like.

    1. Limit incoming SSH attempts to a low number. In my case I limit to 2 connections in 60 seconds. I can tighten it even more but this did a lot to kill brute force attempts.
    iptables -I INPUT -p tcp -i vlan1 --dport 2242 -j DROP
    iptables -I INPUT -p tcp -i vlan1 --dport 2242 -m state --state NEW -m limit --limit 2/min -j ACCEPT
    iptables -I INPUT -p tcp -i vlan1 --dport 2242 -m state --state RELATED,ESTABLISHED -j ACCEPT

    2. Automatic blacklist via DenyHosts. This helps cut down attempts from known ranges without even giving them the chance even at a slow rate. http://denyhosts.sourceforge.net/

  16. An iptables recipie by Simon+Carr · · Score: 4, Insightful

    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "
    -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP

    Stops 'em *somewhat* dead. If you want to whitelist hosts so they are not impacted by this rule, just add;

    -A INPUT -s your.ip.address -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

    Before the throttling ruleset.

    --
    -- The unsig...
  17. OpenBSD PF by roman_mir · · Score: 3, Insightful

    #SSH
    pass in inet proto tcp from any to $ext_if port ssh
    pass out inet proto tcp from any to $ext_if port ssh
    pass quick proto tcp from any to $ext_if port ssh \
            flags S/SA keep state \
            (max-src-conn 15, max-src-conn-rate 5/3, \
              overload <bruteforce> flush global)

    you know what I am saying?

    --
    You can't handle the truth.
  18. pam_abl by otis+wildflower · · Score: 2, Interesting

    http://lmgtfy.com/?q=pam_abl

    Share and enjoy!

  19. Re:whatcouldposiblygowrong by NNKK · · Score: 2, Insightful

    If somebody tries to perform surgery without a proper medical education, do you offer pointers, or do you tell them to drop the knife and find a real surgeon?

    Companies running public-facing servers without good technical expertise are a menace.

  20. I don't understand the problem by dingen · · Score: 2, Interesting

    So there have been a million failed attempts to log in over SSH in a year. That's about one failed attempt every 30 seconds.

    What's wrong with that? It's not like they're getting in, right?

    --
    Pretty good is actually pretty bad.
  21. Re:Exactly by Minwee · · Score: 4, Funny

    "How can I stop people from driving past my house and seeing if the lights are on?"

    That's easy, just move the front door to where one of your upstairs windows is and install tiny robots that will draw the curtains if the traffic noise gets too loud.

  22. Re:whatcouldposiblygowrong by dintech · · Score: 4, Insightful

    That's a beautiful and witty analogy but to reverse it:

    If he asked "How can I stop my house being burgled?" and you said, "Without a full alarm, CCTV and patrol system, don't even bother. Leave it to the professionals."

    Some others might see some practical value in suggesting, "Maybe lock your door at night."

    My opinion in this situation is first to take what advice you can and do something yourself as soon as possible (since any extra security is better than nothing). Next, as you suggested and when he has the resources to employ someone to do it properly, seek professional help. Simply doing nothing until he can do it properly sounds a bit dangerous.

  23. Re:whatcouldposiblygowrong by obarthelemy · · Score: 2, Insightful

    Since it seems to have escaped your attention, I'd like to point out the fact that unqualified surgeons can (will ?) kill people; unqualified admins won't.

    Which seems to be a somewhat relevant matter.

    --
    The Cloud - because you don't care if your apps and data are up in the air.
  24. Re:Ignore it? by tomhudson · · Score: 4, Insightful
    There's no "brute forcing" going on. Look at the numbers.

    1 million per year over 50 sites == 20,000 per year per site, or 54 per day per site. Change the passwords every few months (and use different ones for each site).

    Further - 1,200 different remote hosts means what, 17 attempts per remote host per site per year. Probably randomly p0wned PCs that hit addresses at random, make a few attempts using default or ocmmon passwords, then move on.

  25. Re:Exactly by mjschultz · · Score: 2, Interesting

    But a million cars haven't driven past. Only ~1200 --- in the past year. This is no big deal. Hell, I start thinking something is wrong when I DON'T see many failed SSH attempts in the daily log reports.

  26. hashlimit by suso · · Score: 4, Informative

    You can also use the hashlimit module for iptables. I find it works pretty well for allowing people in who need to access and block things like the ssh worm that was causing ssh to run out of resources.

    You might check out the end of this presentation that I made 4 years ago.

    http://www.bloomingtonlinux.org/wiki/15th_meeting

    I've been using hashlimit successfully for years in a web hosting environment.

    I'd also recommend hiring someone who focuses their efforts on managing the servers and taking care of network security. This job is usually referred to as a system administrator or network administrator. DOH!

    1. Re:hashlimit by JWSmythe · · Score: 2, Insightful

      I'd also recommend hiring someone who focuses their efforts on managing the servers and taking care of network security. This job is usually referred to as a system administrator or network administrator.

          That's probably the most relevant thing I've seen. I'm amazed at how many places don't want or have people with a clue working on their equipment. TFA said they have *NO* sys/net admin, and the guy who attends to those task is a "n00b".

          There's more than one way to address this (which plenty of us have mentioned), but the important part is to have someone on staff who actually knows what they're doing.

          I had someone ask me the same thing a while back. It wasn't tallied over a year, but it was something like 10,000 connections from China to SSH on port 22 in an hour. They were all unsuccessful. I gave a few options. Move SSH. Bring up proper iptables rules (or ANY iptables rules). Put a firewall out front. Set rules in the router to prevent it. Their final decision was .... [drum roll] ... "well, as long as they were unsuccessful, it doesn't matter." That from a group who had a few machines compromised in the past for various reasons.

          Sometimes it doesn't matter if you've given them the best, or even reasonable answers, they'll only hear what they want to.

      --
      Serious? Seriousness is well above my pay grade.
    2. Re:hashlimit by turbidostato · · Score: 2, Insightful

      "I'd also recommend hiring someone who focuses their efforts on managing the servers and taking care of network security. This job is usually referred to as a system administrator or network administrator. DOH!"

      Quite to the point. There's a rising trend on questions like "I'm having problems about X but I prefer being cheap on coping with X, what should I do?". And then there's the rising trend on answering something else than "if you depend on X you'll need to invest on X".

      And now, about the problem at hand: your (his) logs attest thousands of *failed* connection attempts through ssh. In the end... so what? Failed attempts are neither worrying nor in your hand to be avoided (changing your ssh port is the most cost effective remediation measure to maintain bots at a distance). Bellovin already stated quite some years ago (not his exact words, but their meaning): do not monitor on the outer side of your firewall if you are not in the position of avoiding the attacks; all you get will be headaches and a ton of meaningless logs to parse (and probably losing important information among the noise). The verily reason for your firewall to be there is already to maintain the attacks as failed attempts anyway. Do monitor from the inner side. In this case, monitor successful logins, not failed ones.

  27. Re:whatcouldposiblygowrong by Toonol · · Score: 2, Insightful

    In fairness, surgery is WAY MORE FUCKING IMPORTANT than server management.

    People without perspective are a menace.

  28. Re:whatcouldposiblygowrong by node+3 · · Score: 2, Insightful

    Practically speaking, it really isn't different.

    The surgeon who kills someone might, if the victim's family is very lucky, be assessed damages of a couple million. An idiot with a cracked server farm can easily cause that much damage on the net.

    WTF? In one case, a web server has been vandalized. In the other, a person is dead.

  29. Re:whatcouldposiblygowrong by node+3 · · Score: 4, Funny

    Society places economic value on everything, and the amount of damage a cracked server farm can potentially do far outstrips the economic value of a human life.

    You forgot to start that sentence with, "you might be a psychopath if..."

  30. Re:whatcouldposiblygowrong by node+3 · · Score: 2, Insightful

    I'm sorry you're too psychologically immature to recognize economic reality, but that's really not my problem, and hardly makes me a psychopath.

    It's not a sign of being "psychologically mature" to hold the notion that human life is a fungible commodity.

    A poor person in the slums of Bangalore is economically worth more dead (for his organs) than alive. You state that society places an economic value on everything, including people. Yet for some reason, society has outlawed murder, even if the result is a net monetary profit for society.

    Your complete failure to comprehend that a human life is worth more than its economic value to society is why I called you a psychopath.

  31. Re:Change ports by Abcd1234 · · Score: 2, Interesting

    I actually go one step further: after IPv6-enabling my site, I only allow v6 ssh inbound. Since Teredo makes it possible to get v6 from nearly anywhere, it doesn't cause any inconvenience, and ssh attacks have basically vanished. 'course, it won't last forever, but it works great right now.

  32. proactive blocking by bugi · · Score: 3, Informative

    In addition to using reactive tools like fail2ban and denyhost, also block most of the world proactively:

    git clone git://github.com/bugi/iptables-by-country.git

  33. Re:whatcouldposiblygowrong by jim_v2000 · · Score: 2, Insightful

    It's fucking computer. He can learn how to secure it. There's no reason to hire someone else to do something that he can do himself, especially when it's something that he needs to know how to do.

    --
    Don't take life so seriously. No one makes it out alive.
  34. SSH Key by rawg · · Score: 2, Informative

    Instead of generating passwords, have your users supply their SSH key and turn off passwords. Much better solution.

    --
    The above is not worth reading.
  35. Lock it down. by BlackHawk-666 · · Score: 2, Insightful

    I can't believe the person who set the server up left this port open to the world. If you want the server secure then you will close all the ports that are not actually needed - in your case this likely means you keep 80 and 443 open.

    For remote management make get a few IPs for the desktops that are meant to connect to it and make sure the ISP opens SSH port only to the IPs.

    You can tunnel X over SSH and do file management, whatever you need so it should be enough.

    Don't bother changing it to some random port, security through obscurity is total bullshit in this age of port scanners.

    --
    All those moments will be lost in time, like tears in rain.
  36. good against 1 attacking host -- not large botnets by beh · · Score: 2, Insightful

    I am using fail2ban, but I do not think it's a particularly great tool when you see how many different IP addresses the attacks come from, so you're somewhere stuck in the middle trying to optimise how to make fail2ban more effective, while not being a problem for your own users:

    - you configure blocking from 1 login attempt and a long block time cuts down on most of the outside attacks, but if some legitimate user mistypes his password, he'll be locked out for that same long block time...
    - you configure several wrong password attempts and/or shorter blocking times - then the attacks do not get slowed quite as much, but it hinders your users less.

    There are some things you might consider, though -

      - if you can, and your users always access the system from their own computers/laptops, force the use of public-key authentication and disable use of password logins; then outside access attempts via password cannot succeed.
      - if you can't do this, at least force root to use public key (and/or su/sudo from another login. (sshd_config either
              'PermitRootLogin without-password' (to allow root access through authorized_keys, but not through password, or
              'PermitRootLogin no' to block root access via ssh-login altogether.

      - if there are only specific accounts you might want to allow access to, look into pam_require, then limit to those users in pam's ssh
          config: 'account required pam_require.so @ssh-users myaccount' (allows user 'myaccount' and all users in group 'ssh-users'
          to log in via ssh - everyone else will be kicked out, even with a valid password).

      - keep an eye on the log to see whether it's actual users that get hit, or whether you see access attempts to non-existent users
          (many of the attacks are basically dictionary based). If you find one of the valid accounts gets hit too much, consider renaming that
          user account.

  37. Re:good against 1 attacking host -- not large botn by badran · · Score: 2, Informative

    - you configure several wrong password attempts and/or shorter blocking times - then the attacks do not get slowed quite as much, but it hinders your users less.

    There are some things you might consider, though -

    3 fails / 10 min != 10 fails/ 1 sec