Slashdot Mirror
SSH Password Gropers Are Now Trying High Ports
badger.foo writes "You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port? It seems security by obscurity has lost the game once more. We're now seeing ssh bruteforce attempts hitting other ports too, Peter Hansteen writes in his latest column." For others keeping track, have you seen many such attempts?
It's still just going after low-hanging fruit. Anyone weth any real awareness of security does now allow password-only SSH connections anyway. Key based auth and fail2ban is pretty much required these days. You can always add some port knocking to obscure it a bit if you don't like reading about failed access attempts.
.. is rarely the way to go, however port knocking would go a long way in terms of thwarting brute force guessing.
Most of the intrusion attempts on my machine are from APNIC. Is there a good way to block any attempt originating in Asia?
Just lock them out after a certain number of wrong passwords.
Sheesh, it ain't rocket surgery.
I ran SSH over port 8080 and for the first month I got mostly HTTP activity but not long after that I got a lot of SSH attacks in my auth.log
The best thing you can do is disable password based authentication altogether and use certificate based authentication.
Jesus fucking christ, who care? Just use fail2ban or similar.
This is like complaining about spam when you have a perfectly operational bayesian classifier at your disposal.
"You thought you had successfully avoided the tiresome password guessing bots groping at your SSH service by moving the service to a non-standard port?"
No, because that's crappy "security".
Denyhosts/fail2ban is a much better solution.
You're being naive and just waiting for a disaster to happen if all you rely on is changing the default port. I, myself, use this application called Denyhosts that bans the IP-addresses that try brute-forcing passwords, and I've set it up to just ban access to any services, not only SSH, after 5 failed attempts. These days I've got thousands of IP-addresses on my hosts.deny - file and it just keeps on growing. That said, use Denyhosts or something similar if you need password authentication or just disable password auth altogether.
I've blackhole'd all ports I'm not actually using, so the machines don't respond at all. I've setup port-knocking to open the port I actually use for SSH, and my SSH key is passphrase protected. Passphrase not password.
I've never even seen anything that wasn't me attempting to log in in my sshd and system logs. Root login disabled, and pubkey authentication is the only enabled method... so even if they did figure out my port knocking sequence they could literally spend infinity time trying to figure out my non-root non-existent password.
Also, wtf password groper? This used to be a news for nerds site, not a news for computer molesters site...
Typically server hosting with ipv6 will assign a /64 range to each box. Assign your ssh port to a randomly generated address somewhere i the range (2**64 addresses) and port scanning will never find it.
If using a higher, or non-standard, port number only give you a 2 character increase in password security, then why not just use a longer password?
We use a non-standard port, a non-standard user name, and a 16 character password. Normally we just connect via ssh key, but some applications we use require a username/password rather than using a key.
Are we safe? Yes. Are we completely safe, no matter what, totally and forever? Nope ... nothing is. You just have to be vigilant reasonable.
If you monitor your logs unless they guess correctly first time, you will see their failed attempts first.
We are preventing this sort of attack on our Linux servers utilizing ConfigServer Firewall and a standard SSH port only we know. It's unlikely somebody is going to find our new SSH port before they are blocked for port scanning by CSF. There are other options then CSF such as cPanel Hulk, but we also like the other options CSF offers such as being able to use a distributed list of IP's to block which allows for a distributed firewall amongst all of our servers. http://configserver.com/cp/csf.html
fail2ban. done.
It seems security by obscurity has lost the game once more.
How, exactly?
By ensuring the vast majority of brute force attacks - which hit port 22 - fail?
Security isn't fucking binary, and obscurity is a perfectly valid layer of the onion.
We're running a network of 80+ servers around the world (https://wonderproxy.com).
We've moved in stages getting things off standard ports.
Whole network standard - several hundred attempts per day
a few standard, rest on non-standard ports - tens of attacks per day
all non-standard ports - 0-5 attacks per day.
It's been worth doing just for the reduced reporting volume in our status systems.
paul reinheimer
I leave SSH on a standard port, but enforce complex passwords and put rules in place which greatly slows down guesses. An attacker can only try logging in a few times a minute. It's going to take them a long time to guess usernames and complex passwords at that rate.
Like someone allready said, it's not really for security but for convenience. I used to run sshd on port 22 but got tired, and slightly unconfortable, of all the login attempts I got. Moving to a non standard port has worked great for me for at least 7 years now.
I only allow a few specified users to log in and only with keys, not passwords, so the chances of someone actually gaining access by guessing a password are pretty slim. But it was still annoying.
Excellent advice.
I thought all the cool kids put machines behind firewalls then SSH after connecting to the VPN.
Having to work for a living is the root of all evil.
Paging Captain Romero - of course you will get traffic on high ports - there's only so many available to try. Moving your ports around just delays the inevitable and culls out the lazy.
I want to delete my account but Slashdot doesn't allow it.
You lock up an account after a few password failures.
Which opens up a denial of service opportunity for anyone who can guess the primary administrators' usernames: the botnet could log in with an incorrect password several times to lock out the legit user. Cue a truck roll to reset the lockout.
Don't most people use attempt limits now? Limit an IP to 10 attempts before an IP address ban and lock the account in question.
I have my ssh port blocked with iptables. I have a script that reads email once a minute. If I type the write stuff in the email and the email comes from me (my email provider does good with emails claiming to come from me and acctually comming from someplace else I tested it they go to junk) it unblocks port 22 for the ip address I specify in the email. I use fetchmail to download new emails I use the standard "mail" program to pick off the first email and I parse the email for all the commands I type in. I check in on it from time to time and have never seen anyone attempting to even send emails that will open ports. I originally went one step further using pgp on both sides(encrypting then decrypting) but sending from my phone got to hard with pgp.
If you can connect and directly log in to root, I think you are an idiot. Regardless of the password.
Denyhosts/fail2ban is a much better solution.
Not if the brute force attempts are distributed across thousands of different /24s, or if a botnet member is behind the same carrier-grade NAT as your machine.
Then only allow the IPs you want to connect.
So how do you predict the IP address of the machines from which you will be connecting in advance? If you expose a web interface to edit the list of allowed IP addresses so that you can connect from an additional IP address, all you've done is added the length of that web interface's password to your SSH password.
An attacker can only try logging in a few times a minute.
How does your system determine which IP addresses belong to a particular attacker's botnet?
Don't most people use attempt limits now?
See replies to macbeth66's post asking the same question.
That I call land mines. I place them in a file that opens on these ports so a hacker who downloads one and opens it is screwed it is not a virus so virus detectors wont stop it running. and slow dasteredly things are my fav.
What's the practical difference between being able to log in to root and being able to log in to a member of the sudoers group?
if you do not detect failed login attempts, and ban or block IP's temporarily... sure they could proxy up, but you could also then detect that trend for a given user account. why is brute forcing passwords still a viable infiltration method? that's the real question.
I have a couple of internet-facing VPS servers that I use, and I do ssh into them on a regular basis. But after a weak password let someone in, I re-installed and switched to requiring ssh keys. I also turned on simple rate limiting for ssh (I keep mine on port 22) connection attempts. I still allow password ssh logins, but only for connections originating within my VPN.
I haven't had very many problems with brute force attacks since. I'm still vulnerable to any ssh key-handling vulnerabilities that may come along, but I feel more secure than I was before.
People, who configured their ssh to listen to a non standard port, are aware of a problem and probably at least a bit more knowledgeable than the average user. So I'd expect better passwords and maybe other means of protection. Does it really pay to try higher ports in comparison to the higher effort?
I'll probably have to go learn about key-based security. But meanwhile, I'm really happy with sshguard. It defends against brute force attacks by monitoring logs and aplying increasingly (exponentially) tougher time-outs as attacks from IP addresses continue. It's reduced my log from 100s of entries per day to about 15. http://www.rferl.org/content/world-press-photo-winners/24903576.html
They've got it in FreeBSD ports, which makes it easy to install into an existing firewall.
If this were Usenet, I'd killfile the lot of you.
thanks for the compliment lol! #no public ssh :P
iptables -A INPUT -p tcp -i $INTERNET --dport 22 -j DROP
PLUS I still use ssh keys, just in case.
My fingers thank me because I no longer have to type the same thing all over again all day.
My brain thanks me because I am no longer trying to remember a long password anymore (dont remember how long has it been since I no longer used passwords on public ports).
YES, this is a lazy passphrase free key, so what! I am a cool kid and I can do what I want to haha
Why doesn't somebody invent a tarpitting method, where you write something that'll listen on thousands of ports, completes a fake ssh handshake (slowly), rejects all authentication attempts, logs gropers to fail2ban; but then have your real SSH daemon on a higher port, using certificates only? For you, no problems; for them, like searching futilely for a needle in a haystack...
Wastes the gropers' time, and burns their bots. Get enough people doing this, and it might send a message to the idiots doing it.
You see, I don't use SSH, I use plain old telnet. That's right! These kiddies never heard of it!
And if they actually get in, I have a few gigabytes of stories growing up that they have to read. Like the time I was growing up in Idaho. We wore onions on our belts because that was the style back then, Benny Goodman was all the rage and I'd take my best girl - Betsy - to the church dance ... we were all Presbeterian in that town and with one church, new people would just go there - even the Jews because there wasn't a Synagogue - but that's another story and I won't bore you with that because I can be a bit long winded at my age - so anyway my best girl got her new dress and we over to the next town to Jo's soda shop - he had the BEST malts in the entire area - and the whipped cream was made fresh from a local dairy farm - farmer brown's was his name - he served in WWI as an infrantry man in France and boy the stories he told about those French girls - like the one he met, Jaquoline I think or it was Juliette - she had dark hair and hazle eyes and her father was a banker for a German who had a home in France before the war - of course when the war started the Germen businessman had to run home and he ended fighting himself, even though his father pulled some mighty strings to get him out of the German army ...ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
I have my SSH server listening on the standard port. I used to use tunneled passwords as the auth mechanism, but my auth.log was getting very cluttered (even after installing denyhosts and fail2ban). Most of the attacks aren't coming from script kiddies, but from other infected systems at the hands of "bigger" organizations.
I now run on the standard port, with denyhosts and fail2ban, using a 2048bit RSA key that resides only on my laptop, they key also requires a password. You should always make sure you have your sshd_config setup to disallow password auth, and root login.
In summary: /etc/ssh/sshd_config
Changes to
Denyhosts
Fail2ban
RSA key only auth
Key requires password
If you want to end almost any possibility of brute force, load this with iptables:
Those three lines will slow the amount of connections by the same ipaddress to sshd. When the attacker reaches 4 hit counts it will be blocked for 60 seconds before resetting. If the attacker keeps attacking before the 60 seconds are up it will reset the the time limit to another 60 seconds. Have been using it for years and it is extremely effective. Even a botnet attack (which is unlikely) would be futile because there just aren't enough attempts.
Seriously, this type of thing should be built directly into ssh. If not this sophisticated, then at least it should include attempt and restart delays which would not be as effective but beat the hell out of the default behavior.
From the summary: "It seems security by obscurity has lost the game once more."
I've got news for you. Most security IS security by obscurity. Think about it. If the attacker knew your password, account, IP address, certificates, keys, and combinations you would have no security.
Place nail here >+
Upon 10 failed attempts on a given account, drop them to a fake shell prompt and log them. Put the longest or most entertaining logs up on a public web page for mockery.
Fixed
Like others have said, moving sshd to a high port was never meant to be additional security, just annoyance-reduction to reduce the sheer load in terms of bandwidth and log space. I did that for a while, but then (well over a decade ago) I saw an article about port knocking which is where you (i.e. the sshd) don't answer until the system receives a secret sequence of connection attempts at various ports... i.e. a secret "knock". The secret knock is a kind of password, and can be sent by executing a specialized client, or if you are somewhere where you don't have one available, by manually making telnet attempts, i.e. "telnet 16111; telnet 28123; telnet 22222".
The knock is basically a password for OSI network layer connections. This not only reduces the annoyance level of unsophisticated phishing attacks, but basically eliminates them altogether with a layer of real security. That security is not very strong... in a targeted attack, anyone who can monitor your link layer anywhere along a connection you make can see your secret knock... but it's an easy add-on and better than just playing tag with script-kiddies by moving ssh protocol to a high port.
It's full of alien conspiracy files, celebrity photos, and random internet rants.
So far, nobody has managed to do any obvious harm.
I've secured networks and systems for almost a decade now using both good security engineering and tons of non-standard techniques. Relying only on nonstandard is security by obscurity. Using high quality, although obscure, alternative components for obfuscation has proven value in reducing risk.
Here's an easy one for you guys I won't charge you a consulting fee for: put the critical service on a non-x86 processor, but remove references to the actual ISA. The attackers might get one successful code or malware injection after another, but no execution. I've never seen one figure out why and progress further.
Nick P
schneier.com
I always have my home server available on a fixed IP
Not everybody has the luxury of 1. a home server and 2. an ISP TOS that allows a home server. And even in your case, all you've done is added the length of your home server's password to your SSH password.
I'm not sure where your Web access brainstorm comes from but it has no place in a security strategy of default deny. Default deny is very very simple. Either you are a trusted IP or you aren't.
The web access part is the interface to specify which IPs are trusted IPs at the moment and which aren't.
All you've done by adding a VPN is added the length of the VPN's password to your SSH password.
For some reason, geeks seem to think there is magic, perfect, computer security. "Just do THIS and your servers are secure, nobody can ever break in!" Those of us who've dealt with physical security understand there's NO SUCH THING. Good security is a layered approach. You never rely on one thing for security, you have layers so that when, not if, a layer fails you aren't automatically fucked, the other layers hopefully catch it.
While moving SSH to another port may not be a real big security improvement, security improvement don't have to be big to be useful, particularly if the cost is low, and in this case the cost is zero.
Also here's some news: It is 2013 and just now the bots seem to be adapting. That means that it was pretty effective. Seems to me SSH has been in use for, oh, getting close to 18 years now. That's not a bad amount of time for something to stop the bots.
The sooner geek admins start to understand that there is NO perfect security, ever, the sooner we'll start to have better computer security.
For others keeping track, have you seen many such attempts?
Yes. Yes I have. And then fail2ban blocked them. My fail2ban keeps a list. This list is reapplied at startup, so blocked hosts persists across restart.
RFC1700 (http://www.ietf.org/rfc/rfc1700.txt) was put in place for a reason. Stop using ports for purposes that do not belong to them. You're the reason I have kiddies port scanning me every day. If you don't want people logging into your public SSH server, then switch to key authentication and use a whitelist.
I'm seeing the old X-FORWARD-FOR 127.0.0.1 attacks come back too.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
All security is by obscurity. As in "you don't know my password."
tone
I use fail2ban and have a few ssh servers on high ports. It is easy to search logs for the last week - zero attempts across those 5 servers.
When ssh was on port 22, I saw over 1,000 attempts daily.
Seems that moving to high ports really does pretty much solve the problem, but I will not
* be removing fail2ban
* allowing password logins
* allowing remote root logins
No way.
While of course bot masters pay essentially nothing for their CPU power, someone has to buy the systems that become zombies for the botnets. As those systems get faster, the things that a botnet master can do expands. For what it's worth I haven't seen an ssh-based attempt on my system in over a month - and the most recent one was only a few hundred attempts from one IP address that maps to Missouri - but I have seen distributed attempts on my system in the past that have made thousands of attempts at the root password (futile when root is disabled, which they would know if they read the ssh greeting) as well as distributed whitepages attacks going for common user names with easy/non-existent passwords.
If ISPs would actually start to take action against the users whose systems make up the botnets, we would see this activity reduced. However it is more profitable for the ISPs to not do so.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Is the majority still coming from China? I had recently been tired of being forced to move my sshd ports. So I setup fail2ban, pam_tally2, and remote syslogging with php-syslog as a web interface... This will 1. ban too many bad attempts. -- fail2ban 2. prevent bad user passwords from actually letting the user in after 3 failed attempts -- pam_tally2 3. inform me about it -- remote syslogging+php-syslog I find that 80% of the attempts are from China. So I am about to flip the switch and simply ban all of china (http://www.okean.com/thegoods.html)
Just use ssh-keygen and setup the key pair.
iptables can be fantastically complex and powerful to protect enterprise networks from all manner of attack. It is also fast and easy to do a simple, basic, strong setup which will provide a powerful firewall to secure a server.
Some useful iptables tutorials and references:
1) From CentOS, but iptables runs the same way regardless of OS. This one creates a pretty solid simple iptables ruleset to protect a server.
2) An Ubuntu tutorial, again simple and informative.
3) From the netfilter/iptables project homepage. Good primer on network concepts too.
4) Deeper information, but very useful. Another good discussion of network concepts.
I recommend typing in a simple text file with the iptables commands, the chmod'ing it so that it is executable. Then execute it ("./myrules"). This works for a small, but powerful list of rules that can protect a server. Some of the tutorials talk of rulesets with thousands of lines. There are different, more efficient ways to load those.
Quick overview of iptables:
1) There are three default chains (containers which sets of rules) called INPUT, FORWARD and OUTPUT.
2) Each of these can have a default policy of ACCEPT or DROP. Input should have a default policy of drop. IMPORTANT - while you're first playing with iptables, make sure input has a default policy of Accept ("iptables -P INPUT ACCEPT") or you may well lock yourself out of your machine. Once you've got the rules set up as you'd like (you view the rules with "iptables -L -v"), then you can do "iptables -P INPUT DROP".
3) Always set these three "housekeeping" or basic rules (prefacing with a '#' is a comment):
# For the loopback interface 127.0.0.1, accept everything. Append to input chain.
iptables -A INPUT -i lo -j ACCEPT
# For ICMP packets, accept pings only
iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
# For established connections, accept everything, using the older state module
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
4) Your input chain, which deals with incoming packets, will have a default policy of drop. Only ports which are then specifically allowed will be open:
# Accept SSH on port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept HTTP on port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Accept HTTPS on port 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
5) You're not using your box as a router, so your FORWARD chain should not get any activity. I leave the policy as Accept, so if there is any traffic logged here, I know something unusual is going on:
# Otherwise, accept all for FORWARD
iptables -P FORWARD ACCEPT
6) Finally your output chain should just allow everything:
# Accept everything:
iptables -P OUTPUT ACCEPT
7) Check your iptables ruleset with "iptables -L -v". If everything looks good, set your default input policy to drop with "iptables -P INPUT DROP"
And that is a spiffy, powerful way to block all ports but 22 (ssh), 80 (http) and 443 (https) by using iptables.
There's an interesting paper on using IPv6 addresses as cryptographic material for this kind of thing.
ZX2C4
Port 2222 is fairly obvious for the next port to attack. Pick something totally random. That would work for another year or so until they start trying all 65535 ports. Then you'll probably need some "knock knock" protocol to get let in.
now we need to go OSS in diesel cars
And that is a spiffy, powerful way to block all ports but 22 (ssh), 80 (http) and 443 (https) by using iptables.
This isn't solving the problem. Actually, there are two problems. One is that a multi-user machine might have users that use weak passwords the probers can eventually guess. The other is all those probes. Before I used alternate ports, I've seen as many as half a million probes in just one day. Though no attempt ever got in, it flooded my logs. So it is still to be avoided. For now I'm using port 9173 (not really that one, but similarly obscure).
And you are leaving port 22 open. But even if you do close it and use an alternate port, the concept in this article is that the probers are trying other ports, now. As soon as they starts scanning ports for an SSH banner, they will know where to probe. This isn't solving the problem.
Something more sophisticated is needed. A knock-knock protocol, such as sending a UDP datagram to an obscure port that never responds to anything, but acts on a properly encrypted message by opening another TCP port to the sender or coded IP address (only) for SSH access, would be one good way to do this. Another is pre-shared IPsec in tunnel-mode (no response for packets that fail to decrypt because the inner checksum will fail).
now we need to go OSS in diesel cars
1) iptables to block all ports but the ones you allow.
2) fail2ban - 5 tries and they're gone for 30 minutes. Only the most persistent continue. But they get 10 tries an hour.
3) Configure ssh to disable remote root login (in ubuntu, it's in sshd_config - "PermitRootLogin No"). You can still log on as root if you're sitting at the computer and have a console window. Or you can su to root after you login as another user. Just can't ssh in and directly login as root. From what I've seen, this moots over half of the login attempts.
4) And of course, strong passwords.
So, they can try higher ports, or even port 22, all day long with no consequence.
Don't just change the port to something that is an obvious next step. Take 222, 2222, and 22222 off your charts. Pick something that is totally random as your SSH port so that they have to do a port scan in order for them to find the port.
Better yet, as most of the others have already mentioned, use a port knocker.
Starting now, all the operating system distributions should turn off PasswordAuthentication by default. This really is a non-problem.
As for denial-of-service "script kiddie" attacks, SSH already has built-in rate-limiting in the form of the MaxAuthTries, MaxSessions, and MaxStartups, and even LoginGraceTime and, of course, UseDNS=no.
Besides these two easy and readily available fixes that have been in place for years, why are you logging every visit to SSH on your system, anyway? That's just asking for a DoS attack that fills your log directory or the log directory on your designated loghost. That is, unless you're smart enough to keep a bastion host's log directory in its own volume.
Unless, of course, this is the first you've heard of a bastion host.
Kriston
I don't know how to implement this but is it possible to send the attacker something computationally expensive to do with each failed attempt. if it only takes the host microseconds to reject a password but the client has to invest an escalating amount of time on his own machine to find the answer to some puzzle then it quickly becomes a waste of effort for the attacker.
Knowing my site's IP address (findable with some research) doesn't do him any good. He has to spoof the IP address of the location I'm connecting FROM. When I'm on the road and connecting in via ssh, I usually don't know (or care) what IP address I'm connecting from.
Somebody could try to sniff my ISP's traffic and watch for a connection to my ssh port and then attempt to spoof the source IP address for that traffic. They'd more likely step on someone else trying to hack my site, not me.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
I still run SSH on it's standard port with DenyHosts. However, I add a second layer such as two-factor authentication: http://code.google.com/p/google-authenticator/. Even if you do manage to somehow get my password, you still need my one-time pass code. It's not perfect, but I believe it reduces the risk of having a publicly accessible SSH server being compromised.
Portsniffing is nothing new. I just looked briefly but didn't see an option for what I was expecting to exist.
Does SSHD have no option to not respond to a bad credentials?
Seems to me like it should be trivial to implement. Don't acknowledge bad connections. Don't ack anything. Be a blackhole port. Only respond if and when ssh sends correct credentials. Require the initial connection over UDP.
Ssh provides excellent security. This is just about stopping the waste in bandwidth.
True enough. I'd been meaning to make an iptables tutorial post for a while. Perhaps this wasn't the best place for it.
There, I fixed the title for you.
I use both a nonstandard port as well as Denyhosts. My block file only numbers in the hundreds, yours in the many thousands. Why? Because every random scan that hits my system flags my IP as "not likely" and moves on, when it hits your IP you get flagged as "valid target" and then you get hit with focused attacks.
If you're going to pretend to understand security, then at least get the saying right. Yes, it's never a good idea to only use obscurity, but there's rarely any valid reason to NOT use it as part of a layered model.
I'm running my ssh server on port 23¾ now; that ought to keep the muggles out for a while.
I don't care if it's 90,000 hectares. That lake was not my doing.
OK, lets say I want to try a "high port" -- why 2222 other than memorability? What ports are typical corp/govt/hotel/cafe router/firewalls likely to pass? What about the more anal firewalls?
FWIW throttling sshd can be done via MaxStartups in sshd.config .
The below will create a dynamic blacklist. Any IP address that connects more than three times in five hours (pass or fail) will go into a blacklit that will persist until they stop trying for at least a day.
This will recodr your bad actors _and_ it will "expire" in case you invalidate a system by accident (e.g. over-use).
iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
This phenomenon and all the proposed solutions (tarpitting, port knocking, fail2ban, rate limiting) are old news. This whole headline is old news. I've seen coordinated distributed robo-worm port scans and brute force attacks on every service of every port of my servers since ages ago. Fail2ban ultimately does nothing since the source IPs switch every few seconds to a random country. All it ever did was eventually lock myself out for 20 minutes when I typo'd a password.
The only real solution (which we can't implement) is to shut down the bot nets and disconnect infected hosts.
iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
It seems like everyone is in agreement that moving sshd to a non-standard port is stupid and a waste of time.
I disagree. It is of course not a matter of just changing the port and then be done with it. In addition to all the other security measures (fail2ban, iptables-woodo, key-based auth, etc) moving your sshd (or any service) to a non standard port is both an advisable and mildly effective security enhancing activity.
It might be that some bots are taking the time to scan the entire port space, but the number probes that bother to try your high hanging ports are negligible compared to the never ending avalanche of zombies that tries to squeeze through port 22 (or any other standard port for any other popular service for that matter.)
There is also the matter of bugs in the software. Though sshd is one of the most vetted, and hardened pieces of code out there it only takes one bug to cause a disaster (which has happened before). Attacks never get worse, they only get better! In the case of a 0-day in sshd that allows for arbitrary code execution I sure as hell don't want to be amongst the masses running on port 22.
In conclusion: If your only security measure is to move your services to non-standard ports, you might as well not bother. But your security level is a shade of gray, and using non-standard ports moves the slider a tad in the right direction.
When in danger, whewn in doubt! Run in circles, scream and shout!
I use the below. It has several benefits. It creates a blacklist of sorts of only the bad actors, which can be shared with other rule groups. It only does the test once instead of in separate rules for reject and log etc. I don't boter logging when I can check the bad actors table directly, but any fun things can happen after the ACCEPT (or RETURN) as long as you make sure you reach the pivotal --set operation.
Most importantly this lets 5 attempts per hour from any given IP address and if they have to go away for a day (obviously ajustable) before they can try again. This means you can get deep resistance (60 seconds is too short to truely deter some probes) but if you accidentlaly invalidate a host via over-use you just have to wait a day for things to be good again.
Good for use with ControlMaster option if you frequently have to connect to that host from a particular source. I also allow two password attempts only per connection.
Note that you can replace ACCEPT with RETURN if you want to run other tests after this before accepting the packet.
iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Just put sshd on a port of your choosing and light it up with a secret knock, disconnect and its back to a brick wall, no port reponses.
H.
Standard ports are reflected back at the originating IP so the botnet hacks itself.
OK, I've run the same ssh server allowing password auth from the internet for about 14 years now. I see the attempts, I was even a bit worried when the brute forces started around 2003-4. I've never once had a successful login. My passwords are slightly complex, but nothing to write home about. Every one of these attempts (ok, 99.99999999998% of these attempts) are trying super complex things like root:root toor:root root:god root:admin games:games, etc. They aren't even particularly persistant. They are looking for the super low-hanging fruit. Unless you are the super low-hanging fruit, what ar you worried about? I'm more concerned about a weakness in RSA or DSA than these morons.
Who would EVER guess that someone is using that for their ssh daemon after failing to connect on port 22?
I am very small, utmostly microscopic.
Well, I only handle 2 servers at work, both behind a router that only opens necessary ports. Also, using denyhosts to ban any IP for 2 months that tries getting in more than 5 times. Port 22 tries result in dozens of new daily bans, the other on a high port makes 1-2 monthly. Also, from time to time, I browse the logs manually as well. No - known - breakins in the last 3 years.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Before anyone else comes in again with "security through obscurity doesn't work", running ssh on a non-standard port certainly isn't.
There's plenty of people out there who are scanning port 22 to find SSH instances. You can bet there's databases out there of IP addresses which responded with ssh and their ssh ident string that they returned. The second an SSH hole is found, those lists will be the first point of call for an attacker who wants to hit known vulnerable systems before they get patched.
If the people building these databases had to scan all ports to find ssh, they'd be spending a very very long time portscanning the internet.
My solution is to not even expose SSH to the public internet. Instead I run OpenVPN on the server, and only expose SSH access to hosts who have joined the virtual network (which itself requires a client certificate). Even then, SSH access is pubkey/Kerberos only.
Now I get zero ssh gropes, and nobody even tries to get into the VPN. The OpenVPN port doesn't even show up in an out-of-the-box nmap -v -A scan.
You
I was referring not to my own situation but to the situations of others.
don't have the luxury of an always-on box at home, aka a "server"?
Not everybody has the luxury of an unlimited electricity budget to keep a box at home from going to sleep after 30 minutes of lack of input.
Seriously, any old piece of crap system will work and you can use the free dyndns.com service to keep the IP resolvable to static hostname.
But will the SSH server implementing a default deny policy know to check the free dyndns.com service to see which IP addresses are allowed to connect? If so, all you've done is added the length of your dyndns.com account's password to your SSH password. And the last time I used a free service similar to dyndns.com, I got a monthly e-mail asking me to click through and solve a CAPTCHA within the next seven days to keep the name active.
Also, I've never had an ISP block any incoming ports other than port 80 or 25.
Not everybody has the luxury of a home ISP that allows 60,000+ different incoming ports. Some ISPs don't even give home customers a dynamic IPv4 address; all outgoing connections pass through a carrier-grade NAT, and all incoming connections are refused.
For most everybody, individuals and businesses, there is no reason whatsoever to allow Chinese traffic. Ditto Russian, Ukrainian, Brazilian, etc.
If PhilsHobbyShop.com were to block all traffic from BRIC and Ukraine, even ports 443 (HTTPS) and 80 (HTTP), customers in those countries would choose one of Phil's Hobby Shop's competitors. And even if you're referring to blocking SSH and HTTPS administration interfaces and not blocking HTTPS customer interfaces, that still means all the other server technicians need to reconfigure the server every time a technician takes an international vacation (during which he's theoretically always on call for emergencies).
I work alone and if you get locked in that is your own fault. It is not a question of being locked in or out it is the fact that most programmers and IT admin's worldwide are bums.
For the uneducated that is Cult of the Dead Cow; but a group of people who can program in many languages; lock down;, secure and s/send/patches for the good of all.
No system is flawless, but some of the techniques mentioned above can make a system reasonably formidable to potential attackers. Paul Sery created a wonderful PAM module (pluggable authentication module), for out-of-band challenge-response, called pam_obc. Da Beave improved pam_obc and made it available on GitHub (https://github.com/beave/pam_obc). Regarding bandwidth, system resources, etc., it depends on the specific organization's priorities as to what solutions they might implement at each "layer" of the security onion. PAM modules require a negligible amount of system resources, minimal bandwidth, and the challenges can be sent over encrypted channels. I am not saying that pam_obc will make an SSH server impervious to attacks, but for some people it may be part of the solution that they are looking for. Regards
The entire table is available for adding logging and whatnot. The (empty) range from the ACCEPT line to the final DROP in the sub table can also be decorated with logging or whatever else you might want to do with the failed packet, and then you only get one log entry per event instead of attempt. That logging or whatever was not germane to the example mechanic.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Yes, I've seen many such attempts.
Non-Standard port, Certificate only, fail2ban and whitelist at Router level.
I use kernel module geoip which not only blocks ssh attempts but any other service you want. (http , ftp .. ) on network level.
It uses a kernel module , a csv with the ip country blocks and ip-tables.
So you can say : I only allow ssh from this country and block all the rest.
It does a remarkable job
My front page on my website is useless anyhow, so I phrases similar to Democracy is great, Free Tibet, and Remember Tiananmen Square to the body of the main website. Amazingly, this worked far better than I imagined, better than adding firewall rules to block all chinese IP addresses. My hack attempts have dropped to 0 over the past several months. It wasn't just SSH either.
Running your own server? ~$10/month for electricity. Internet Connection? Gotta have it anyhow. Having the great firewall of China block all hack attampts on your site? Priceless.
ssh IS my vpn!!!
Those who can, do.
While I do use this at home, I also use it on a number of forward facing servers for business purposes (usually with different thresholds and numbers). I spend very little time at "my desk" so the ability to know that I will always have a computer with a pre-shared key available is quite limited. If I am, say, at a hangar at an airfield and I get an emergency call to check on a host, I can ssh to my own (unprivileged) account and elevate my privileges thereafter. So I, and my very few alternates, can respond from anywhere with no chance of leaking meaningful key material as one might if they tried to match up known/authorized keys (and USB sticks are verboten in many of the places I find myself).
In that usage pattern, if I ended up having to ssh in more than five times in a single hour then things are really not right. (and if I knew that sort of thing was going to happen I _could_ always tweak the rule, but I more often use the multi-session ControlPath etc options to side-step the 5-per-hour limit if larger maintenance comes to the front).
That is, I limit the connections pass-or-fail, because it matches the expected (sparse) use pattern and so also limits the ability of a compromised machine I might use as a source box from spanning into the target machine. For instance I can use a source host and then invalidate it by making a couple extra connections so if, say, I have to use an internet cafe (it's never happened, but it might) or hotel computer or whatever, I can keep a clever follower-on from using a key-logger or whatever, from just using the link agian. [granted he could use the information from a different computer etc and I have other means for dealing with that sort of thing (locking the access account after use until I can get somewhere secure and change the password; single-use passwords on some systems, etc), but in terms of a quick access and then block, this works well.]
Different access models require different tools. Being able to ssh in from just about anywhere has come up as useful. Having several useful ways of closing that door, or having it slammed shut perforce, after the valid use are also important levels in any paradigm.
Also, if you reuse the named recent table (e.g. "bad_actors" in this example) [or indeed a whole chain if it's not SSH specific if you replace "ACCEPT" with "RETURN"] in different rules you can easily catch a machine on its very first port-scan or on a single attempt to reach a service you know you don't offer (like SMB service) and drop it into the named table. This lets the co-variants of the one rule "gang up" on the bad actor from different parts of your rule set without invoking expensive external processes. For instance if you also --set an IP address as a bad_actor for sending you a SYN/FIN or a broadcast ping then that one host doesn't get to double or triple dip your security.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
since fail2ban would ban the entire NAT(ed) other office if one actor there were to fail-out from a host in that office, it suffers from the same "short coming" as my script in general, and if you know that some particular shop somewhere is behind a nat, why wouldn't you then white-list that address anyway? e.g. using fail2ban is a good way to let one noob at (remote office) lock out everyone at (remote office). Just because it _hasn't_ happened to you yet doesn't mean that you are ready for the case when it does.
That's a real wizzer of a solution there bob...
If you don't already have white-lists (and preferably VPNs) between known good sites you are just a denial-of-service or "I can't remember my password with this hangover" event away from the theoretical firing anyway.
Again, if you don't know how to apply your tools then all solutions that you don't already think are super-duper will seem suspect. Since you don't seem to know the weaknesses of your current solution, and you improperly apply your "wisdom" as analysis of _my_ solution, you are proved doubly wrong.
Cookbook fail to you, good sir...
(P.S. I know, and point out, that the good and bad attempts are counted in the limit. There are reasons. That those reasons don't apply to your case doesn't make _me_ wrong, it makes _you_ short-sighted for assuming that what doesn't work for your case can't possibly be correct for anyone. 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Obviously never been to Idaho. Jews are very rare, a throw away rounding digit percentage wise and Presbyterian less than 1%
In Northern Idaho few attend any church. and Southern Idaho is 35 to 90% Mormon, depending on the town.
6) Finally your output chain should just allow everything:
# Accept everything: iptables -P OUTPUT ACCEPT
Now this is just plain shitty advice.
Thanks for the four links to external articles, though. Hopefully people will use them as a starting point rather than your own rules when deciding on their firewall configuration.
Maybe one that teaches people how to do easy open/close of a given port for new connection source, based on some other network event that can be securely evaluated (like a DH exchange on some UDP port), would be good.
now we need to go OSS in diesel cars