Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Optimum Attack Rate For SSH Bruteforce? Once Every Ten Seconds

Posted by Unknown on from the and-that's-why-you-use-denyhosts dept.

badger.foo writes "Remember the glacially slow Hail Mary Cloud SSH bruteforcers? They're doing speedup tweaks and are preparing a comeback, some preliminary data reported by Peter Hansteen appear to indicate. The optimum rate of connections seems to be 1 per ten seconds, smack in the middle of the 'probably human' interval."

17 of 167 comments (clear)

  1. Passwords are for philistines by halber_mensch · · Score: 5, Informative

    RSA keypair auth, disable password auth, bruteforcers irrelevant.

    --
    perl -e "eval pack(q{H*},join q{},qw{70 72696e74207061636b28717b482a7d2c717b343 637323635363534323533343430617d293b})"
    1. Re:Passwords are for philistines by the+eric+conspiracy · · Score: 4, Interesting

      Anyone see these guys on a port other than 22?

    2. Re:Passwords are for philistines by 0racle · · Score: 4, Insightful

      If you have a trojan keylogger, you probably don't have to worry about SSH bruteforcing.

      --
      "I use a Mac because I'm just better than you are."
    3. Re:Passwords are for philistines by drosboro · · Score: 4, Informative

      Good point. My standard setup is to move SSHD to a non-standard port, and to turn off PasswordAuthentication completely in favour of RSA key-pairs.

      Just checking my SSHD logs, it looks like I've had exactly one rejected attempt on a busy public-facing web server (which may in fact have been me, connecting from a machine that I hadn't set up a key for) in the past month... so in my experience, no, they're not trying too hard off of port 22.

    4. Re:Passwords are for philistines by nine-times · · Score: 4, Insightful

      Once someone has your key, it's no more secure than your password.

      Whether the token is something you know, something you are, or something you have, it *all* becomes useless once someone else has it. That's not really the issue here. The issue is brute-force attacks on SSH, and using a key makes them significantly more difficult than passwords.

      Stealing someone's key/password is not a brute-force attack.

    5. Re:Passwords are for philistines by JWSmythe · · Score: 4, Informative

            I double that up. sshd to a nonstandard port, and firewall rules to only allow access in from very specific IPs and networks.

          You really shouldn't be able to ssh in from just anywhere. Even if that means throwing a copy of OpenVPN up at a static location, to ssh to the second.

          I can get to most of my stuff directly from home. At a hotel, airport, or coffee shop, I am on a hostile network, and shouldn't even be able to see that the port is open.

          But, most people scanning for machines with SSH on them to hit are blindly scanning port 22. It's people interested in your specific network will scan every port on every machine. Someone determined to hit your machine specifically will try every trick they can, and having SSH on port 2222, 9222, or 64222 won't help, if you have a weak password or an exploitable version.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:Passwords are for philistines by multimediavt · · Score: 4, Interesting

      I made it just a different port on my router at home; still points to port 22 on the internal address forward. That way I can just turn sshd on (after configuring max tries to '3') and not worry about port fiddling on the machine. Works. Haven't seen many attempts at it since I did that years ago.

    7. Re:Passwords are for philistines by Brucelet · · Score: 4, Funny

      It is if I break into your house and brute-force you to hand it over

    8. Re:Passwords are for philistines by nine-times · · Score: 4, Insightful

      That's nice in theory and all, but it depends on what that "something you are" is. Essentially we're talking about biometrics, so what are we measuring? Is it a thumbprint scan? Those have been defeated in the past by taking a thumbprint and replicating it by some means. Is it a DNA scan? Then they might just need to get ahold of your DNA.

      Really, the "something you are" is still "something you have", but you "have" it attached to your body. That doesn't necessarily mean it can't be stolen or replicated somehow. Similarly, the "something you know" can also be considered to be "something you have", but you "have" it in your mind. In some circumstances, it can still be figured out or retrieved, or you might be tricked into providing it.

      Real security isn't quite as simple as you make it sound.

  2. Key AND Password by XanC · · Score: 4, Interesting

    So what I've never understood is why it's not possible (as far as I know) for a server to require BOTH a key AND a password. Sure, I can put a password on my key, but that isn't the same at all. Is this possible yet?

  3. Or never... by damn_registrars · · Score: 4, Informative

    Most of the bruteforce attacks I see on my home server are trying to get in as root. I don't allow remote root logins anyways (and even say so on the ssh greeting) so they'll never get in, even if they do manage to guess the password.

    Hence their most optimal rate for my system would be never, because they won't get in that way. Not that my system is impenetrable - I'm sure an intelligent hacker could compromise it - but they will never get in trying to ssh in as root.

    If they're doing white pages username + dictionary password - or white pages username + blank password (I've seen both, from botnet attacks), they still won't get in on my system as none of the common user names are used there.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  4. I have a portknocking setup by ledow · · Score: 5, Interesting

    I have a portknocking setup. All your packets bounce when you touch my port 22 until you have touched a "magic sequence" of port numbers first. That sequence can be cryptographically strong, time-dependent, etc. but even a simple one-port knock is enough to stop all this random SSH spam and has been for years.

    And if you do "get lucky" and find the right ports and then detect that port 22 is open and then start a brute-force on that? Public-key-only authentication and no root logins allowed.

    Impact on me? Another line in a shell script that I use to connect (and hell, even Android has free port-knocking apps, not to mention them being standard-enough to be in Ubuntu/Debian). Impact on server? Greatly reduced number of fake connections bouncing off iptables and a tiny little daemon that does nothing but listen on the ports I need (and can ONLY open the SSH port even if compromised). Impact on brute-forcers? They might as well give up and go home.

    Even those remote companies that we do allow to port-forward direct to their device on my work network (e.g. telecoms providers, etc.) understand it and "knock" before they come in (which tells us exactly when they are about to log in), while everyone else in the world sees closed ports.

    Why everyone doesn't use it, I have no idea. Even our VPN users have an automated script that just knocks to open the VPN ports (and only the VPN ports) before they connect. Transparent to them, invisible to everyone else, no different if "compromised".

  5. Re:Details? by ledow · · Score: 4, Informative

    knockd on Linux. Apt-get should find it for you. It will execute a specified shell script when it receives a specified knock (default one is specified). That shell script can be passed the IP that knocked (so you can include it in an iptables opening within the script).

    There are also implementations for Windows, should you need that.

  6. Denyhosts by Gaygirlie · · Score: 4, Informative

    I personally use Denyhosts on my Linux server; it is a simple application that keeps an eye on SSH log and blocks access to SSH and any other services you have configured when the limit threshold is reached. You can also configure whether to keep those IP-addresses blocked forever, or for a specified time. Plenty useful. And the attack described here wouldn't work with Denyhosts.

    Since I don't use my server for any actual business-use I have just configured Denyhosts to flat-out block access to any and all services altogether when the limit threshold is reached, and I've configured it to retain the block lists forever. These days I've got several thousand IP-addresses there and I rarely see anything malicious in my logs anymore.

    Of course, denying root login altogether and using either SSH-keys or proper, long passwords is still essential.

  7. Re:Funny, I was tweakin' my firewall this morning by Culture20 · · Score: 4, Insightful

    That's only useful if there's one attacker IP. TFA is talking about a botnet doing the attacking. Hundreds, if not thousands of IPs per minute. The only way to "protect" against that with iptables is to have iptables block all incoming on port 22 from any address. But then you're left with a DDoS where your ssh port is down nearly all the time. Same deal with locking accounts; if hundreds of attempts occur per minute, a lot of accounts can be locked out as a DDoS, intentionally or not.

  8. Re:WTF, Editors? by Samantha+Wright · · Score: 4, Informative

    It's the name of a botnet. Assume any unfamiliar word in any Slashdot summary is the name of a botnet; it makes them eminently more readable. You can try out the technique on this one.

    --
    Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
  9. Re:Seems Easy To Detect by TheRaven64 · · Score: 4, Insightful

    The problem is that botnets have a lot of IP addresses. They can do one try from one machine then another from the next. If you disable the account entirely after a certain number of failed logins, you've just created a simple DoS attack. If you disable it just from that IP, it doesn't matter because it will just try from another. There are some realtime block lists that you can use to reject things, but these add another attack route that can let someone who can spoof DNS prevent you from logging in to your own machine...

    --
    I am TheRaven on Soylent News