brute force ssh attack
Jeff Kinz
jkinz at kinz.org
Thu May 5 02:23:31 UTC 2005
On Wed, May 04, 2005 at 04:01:18PM -1000, Chris Stark wrote:
> On Wednesday 04 May 2005 3:47 pm, Jeff Vian wrote:
> > On Wed, 2005-05-04 at 18:23 -0700, Daniel B. Thurman wrote:
> > > Folks,
> > >
> > > Seems that I am getting daily brute-force ssl attacks --
> > > Anything I can or should do?
> > >
> > > Here is the System Logs:
> > > =======================================
> > > May 4 01:01:50 linux sshd[10438]: Did not receive identification string
> > > from ::ffff:194.65.138.98 May 4 01:04:44 linux sshd[10448]: Illegal user
> > > temp from ::ffff:194.65.138.98 May 4 01:04:57 linux sshd[10448]: Failed
> > > password for illegal user temp from ::ffff:194.65.138.98 port 52888 ssh2
>
> > I set my firewall to block ssh from everywhere except the few places I
> > might use for remote access. It drastically cut down the attempts to
> > get in. I now only get hit from one or 2 IPs a day.
>
> What would you recommend for those of us who need to administer systems from
> dynamic IPs? I've got pretty tight restrictions on allowed users/groups plus
> no root logins. I haven't gotten broken into, but this sure is irritating. Is
> there more that can be done (reasonably)?
Set up a "port knocking" scheme combined with dynamic ssh port
re-assignment.
Port knocking = you must probe a certain combination of ports in a
certain order to get the IP addr. you are coming from to be permitted
to connect to the "ssh ports", This combo/order can change dynamically
based on time of day, day of week, day of month, etc...
Dynamic ssh port re-assignment =
The port which ssh uses changes dynamically based on time of day, five
minute range, etc.. make sure your watch and the ssh host are in time
sync. :-)
Most of the folks attacking you are script kiddies. This will shut them
down (for now) and reduce the verbiage in your logs. This is somewhat a
security by obscurity technique, except for the second reference below.
Article on LJ:
http://www.linuxjournal.com/article/6811
A strong port knock scheme based on one-time pads:
(More convenient and more secure!)
http://www.hexi-dump.org/bytes.html
Port knocking w/OS fingerprinting:
http://it.slashdot.org/it/04/08/01/0436204.shtml
--
Jeff Kinz, Emergent Research, Hudson, MA.
More information about the fedora-list
mailing list