Home page logo
/

basics logo Security Basics mailing list archives

Re: SSH server under attack...
From: hytham.a () securityfocus com, gmail () securityfocus com, com () securityfocus com
Date: 25 Jan 2006 17:50:04 -0000

I'd have to say that a DoS against your users is highly unlikely given the type of attack that is occuring based on the 
logs you have posted; only 3 attempts per username before moving on to the next account.  Why?  Most sensible admins 
would configure MaxAuthTries in /etc/sshd_config to a value of 3, max.  This limits the attacker to a finite number 
before having to move on to the next account to attack preventing their scripts from focusing on a single account.  
IMO, what you have is a plain and simple brute force attempt that has 2 obvious goals in mind: 1) determing valid 
accounts 2) looking for weak passwords associated to those accounts.

Simply changing your sshd listening port is a very small step in securing your host when looking at it from the big 
picture.  Most would argue, and I would wholeheartedly agree, that it is security through obscurity.

Recommendations:  

1) run on a different port - slows down an attacker temporarily (as witnessed)
2) use an external authentication source - radius/rsa configured via PAM modules
3) PublicKey Authentication
4) Port Knock Sequencing authentication using IPTables (*relatively* new to the white hat community, but around for 
quite some time).
5) Possibly create a chroot jail for your users

Using some of the aforementioned recommendations will help in stopping brute force attempts from becoming a nightmarish 
reality :)

All sensible comments welcome!

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]